EPAS

EcoStruxure™ Power Automation System

Application Note
Cybersecurity - Active Directory and GPO Management
Version: EPAS CS-AD/EN AN/E50.1
01/2023
Legal Information
The Schneider Electric brand and any trademarks of Schneider Electric SE and its subsidiaries
referred to in this guide are the property of Schneider Electric SE or its subsidiaries. All other
brands may be trademarks of their respective owners.

This guide and its content are protected under applicable copyright laws and furnished for
informational use only. No part of this guide may be reproduced or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), for any purpose,
without the prior written permission of Schneider Electric.

Schneider Electric does not grant any right or license for commercial use of the guide or its
content, except for a non-exclusive and personal license to consult it on an "as is" basis.
Schneider Electric products and equipment should be installed, operated, serviced, and
maintained only by qualified personnel.

As standards, specifications, and designs change from time to time, information contained in this
guide may be subject to change without notice.

To the extent permitted by applicable law, no responsibility or liability is assumed by Schneider

Electric and its subsidiaries for any errors or omissions in the informational content of this material
or consequences arising out of or resulting from the use of the information contained herein.
Disclaimer
No responsibility is assumed by Schneider Electric for any consequences arising out of the use of
this guide. This guide is not intended as an instruction manual for untrained persons. The guide
cannot cover all conceivable circumstances or include detailed information on all topics. In the
event of questions or specific issues, do not take any action without proper authorisation. Contact
Schneider Electric and request the necessary information.

There may be websites linked to and from this site that are operated or created by organizations
outside of Schneider Electric. Those organizations are solely responsible for the operation and
information (including the right to display such information) found on their respective websites.
The linking to or from this site does not imply on the part of Schneider Electric any endorsement or
guarantee of any of the organizations or information (including the right to display such
information) found on their respective websites.

Schneider Electric does not assume and is not responsible for any liability whatsoever for the
linking of any of these linked websites, the operation or content (including the right to display such
information) of any of the linked websites, nor for any of the information, interpretation, comments
or opinions expressed in any of the linked websites. Any comments or inquiries regarding the
linked websites are to be directed to the particular organization for whom the particular website is
being operated.

Contact information
Schneider Electric

35 rue Joseph Monier

92500 Rueil Malmaison
France

+33 (0) 1 41 29 70 00

https://www.se.com
Safety Information
Important Information
Read these instructions carefully and look at the equipment to become familiar with the
device before trying to install, operate, service or maintain it. The following special
messages may appear throughout this bulletin or on the equipment to warn of potential
hazards or to call attention to information that clarifies or simplifies a procedure.

The addition of either symbol to a "Danger" or "Warning" safety label

indicates that an electrical hazard exists which will result in personal
injury if the instructions are not followed.
This is the safety alert symbol. It is used to alert you to potential personal
injury hazards. Obey all safety messages that follow this symbol to avoid
possible injury or death.

DANGER
DANGER indicates a hazardous situation which, if not avoided, will result in death or serious
injury.

Failure to follow these instructions will result in death or serious injury.

WARNING
WARNING indicates a hazardous situation which, if not avoided, could result in death or
serious injury.

Failure to follow these instructions could result in death, serious injury or equipment
damage.

CAUTION
CAUTION indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.

Failure to follow these instructions could result in injury or equipment damage.

NOTICE
NOTICE is used to address practices not related to physical injury.

Failure to follow these instructions could result in equipment damage.

Please Note
Electrical equipment should be installed, operated, serviced and maintained only by qualified
personnel. No responsibility is assumed by Schneider Electric for any consequences arising out
of the use of this material.

A qualified person is one who has skills and knowledge related to the construction, installation,
and operation of electrical equipment and has received safety training to recognize and avoid the
hazards involved.

Secure Disposal

It is recommended that incineration and disposal to water courses is avoided. The

equipment should be disposed of in a safe manner and with a secure disposal of
confidential embedded information.

Secure disposal refers to the process and result by which information, including
information held on the equipment, is irreparably destroyed so as to maintain the
security of the equipment and information during the process and up to the point of
irremediable destruction.

Any equipment containing batteries should have them removed before disposal,
taking precautions to avoid short circuits. Particular regulations within the country of
operation, may apply to the disposal of the equipment.
Announcement
EcoStruxure™ Power Automation System (EPAS)
In case of former brand names such as “EcoStruxure Substation Operation”, “ESO” or “PACiS”,
are lingered in this documentation, please consider them as linked to "EcoStruxure™ Power
Automation System".

Communication Gateway
The communication gateway offer has been rebranded to “EcoStruxure™ Power Automation
System Gateway” (EPAS-Gateway). In case any of former brand names are inadvertently
lingered in, please consider them as linked to “EcoStruxure™ Power Automation System” and/or
“EcoStruxure™ Power Automation System Gateway”.
EPAS Cyber Security - Active Directory and GPO management Table of Contents

Table of Contents
Legal Information 2
Disclaimer 3
Safety Information 4
Announcement 6
Table of Contents 7
1 About This Guide 9
1.1 Document Scope 9
1.2 Related Documents 9
1.3 Service Information 9
2 What's new? 10
2.1 Current guide revision 10
3 Overview 11
3.1 Active Directory Presentation 11
4 Active Directory in an EPAS Infrastructure 13
4.1 Typical EPAS Active Directory Organization 13
4.1.1 Security Groups 16
4.1.2 Group Membership 17
4.1.3 Group Policy 17
5 Active Directory Management 18
5.1 Process Overview 18
5.2 Prerequisites - Phase 1 19
5.2.1 Computer Synchronization 19
5.2.2 Getting Installed Active Directory Management Tools 19
5.2.2.1 Install the Active Directory Domain Services 19
5.2.2.2 Install Active Directory Users and Computers (if missing or to be tuned) 19
5.2.2.3 Install Group Policy Management (if missing) 20
5.2.3 Setting up the Active Directory in the Security Server 20
5.2.3.1 Before you begin 20
5.2.3.2 Promoting the server to a Domain Controller 21
5.3 Creating Active Directory Structure - Phase 2 22
5.3.1 How to create OUs 22
5.3.2 How to create Computers 24
5.3.2.1 How to move a computer object from one container (OU) to another 25
5.3.3 How to create Users 25
5.3.3.1 How to move a user object from one container (OU) to another: 26
5.3.4 How to create Groups 26
5.4 EPAS GPO Management - Phase 3 27
5.4.1 GPO Rules 27
5.4.2 How to Create a GPO and Edit GPO Settings 28
5.4.2.1 Create a GPO 28

EPAS CS-AD/EN AN/E50.1 7

Table of Contents EPAS Cyber Security - Active Directory and GPO management

5.4.2.2 Edit GPO Settings 29

5.4.3 How to Link an OU to an Existing GPO 30
5.4.4 How to Backup, Restore GPOs and Import GPOs Policies 31
5.4.4.1 Backup GPOs 31
5.4.4.2 Restore GPOs 32
5.4.4.3 Import GPO Policies 34
5.4.5 How to Apply EPAS GPOs 34
6 EPAS GPOs 35
6.1 How to install EPAS GPO 35
6.2 How to update EPAS GPOs 40
6.3 EPAS GPO Organization Example 40
7 Glossary 44

8 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 1 About This Guide

1 About This Guide

1.1 Document Scope
This document is an Application Note of the EPAS user documentation. It provides information
and recommendations to help the user create the Active Directory structure in an EPAS security
architecture and on how to apply the EPAS GPO library provided.

The procedures described in this guide apply to the devices and software applications within the
EPAS security network.

1.2 Related Documents

Find in this table complementary documentation to this application note:

Title of Documentation
EPAS - Windows and Linux Hardening - Application Note
EPAS Cyber Security User Manual
CAE User Manual
EcoSUI - User Manual
MiCOM C264 - User Manual
Easergy C5 - User Manual
EPAS-Gateway - User Manual

1.3 Service Information

For the Schneider Electric Support Center in your location, you can visit
https://www.se.com/ww/en/work/support/

EPAS CS-AD/EN AN/E50.1 9

2 What's new? EPAS Cyber Security - Active Directory and GPO management

2 What's new?
2.1 Current guide revision
Revision Number: E50.1
Release Date: 01/2023

Content changes:

Chapter Topic Change

Migration of the EPAS Cyber Security - Active
Directory and GPO Management Application
Document All topics Note version E50 to a new content authoring
platform providing multi-channel publishing
PDF and HTML5.
Update of the entire document based on the
new EPAS Active Directory Requirements and
Document All topics the new validated EPAS GPO library in
compliance with CIS benchmark and in
conformity to Microsoft baseline.

10 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 3 Overview

3 Overview
This application note helps the Security Administrator define and configure the Active Directory of
an EPAS infrastructure.

In this document you can learn:

• How to create a security domain architecture (Computers, Users and Groups) for a system
network.
• How to manage Group Policy Objects (GPOs).

• How to apply EPAS GPO library.

3.1 Active Directory Presentation

Active Directory is a database and set of services to help the user with the access, management,
and permissions for network resources. It stores essential details about users, user permissions,
and computers.

Active Directory, also helps to the secure installation of software applications by:
• Enabling the management of computer user accounts and group policies from a central
location.
• Providing authentication services.

• Implementing time-tested stable technology.

• Being scalable.

• Enabling interaction with a large range of third-party software products designed for Active
Directory environment.

Some Key Definitions:

• Active Directory Logical Structure: The Active Directory logical structure allows the
administrator to organize users, computers and devices on a network into a hierarchical
structure.
• Organizational Units (OU): An OU is a container within the Active Directory domain and is
the smallest division to which an administrator can assign Group Policy settings or account
permissions. It can hold users, groups and computers with unique attributes but can not
contain objects from other domains. An OU can contain multiple OUs. Use OUs to configure
specific Group Policies based on sites, groups of users or computers.
• Security Groups are a collection of attributes that can be assigned to an object, whereas an
OU is a container of objects. Use Security Groups to assign permissions to shared resources.
• Group Policy and Group Policy Objects. Group Policy provides central administration of
settings that can be applied to multiple users and workstations without having to physically go
to and configure each computer individually.

EPAS CS-AD/EN AN/E50.1 11

3 Overview EPAS Cyber Security - Active Directory and GPO management

Group Policy settings are configured and deployed by creating Group Policy Objects (GPOs).
Therefore, GPOs are containers of a collection of settings (policies) that can be applied to
multiple users and machines throughout the network.

A GPO can be associated (linked) to one or more Active Directory containers, such as a site,
domain, or organizational unit. Multiple containers can be linked to the same GPO, and a
single container can have more than one GPO linked to it. If multiple GPOs are linked to one
container, you can prioritize the order in which GPOs are applied.

For further information you can visit Linking GPOs to Active Directory Containers at Microsoft
documentation portal.

12 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 4 Active Directory in an EPAS Infrastructure

4 Active Directory in an EPAS Infrastructure

The communication architecture of the EPAS infrastructure is based on IEC 61850 protocol. It
implements equipment and applications for the management of an Active Directory in the security
domain.

A central security server is required for the management of an Active Directory domain in EPAS.

For the purpose of this documentation, a Windows Sever 2019 has been used, but the user can
choose a different one.

4.1 Typical EPAS Active Directory Organization

IMPORTANT INFORMATION
• This document is to be used for general specification purpose.

• The final Active Directory design will be defined on per customer project basis.

• The illustrations, architecture drawings and views in this document are given as examples.

The instructions provided in this document are based on the following Active Directory
hierarchical organization which is given as an example for a typical EPAS project:

EPAS CS-AD/EN AN/E50.1 13

4 Active Directory in an EPAS Infrastructure EPAS Cyber Security - Active Directory and GPO management

The image and table below illustrates an example of the Active Directory organization of an EPAS
project :

Topic Object Description

This is the Active Directory domain. In the example and throughout this
document, the domain name is emcs.local.
Security
1 domain NOTE: Each computer within the EPAS infrastructure needs to be
controller defined in the security domain (learn more in "Active Directory
Management" on page 18).

14 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 4 Active Directory in an EPAS Infrastructure

Topic Object Description

Users is a default container. It contains Windows users and Security
Groups defined in the security domain.

Users
2
container

Computers is a default container. It contains the computers defined in

the security domain.

Computers NOTE: For information, each computer added to the security domain is
3 automatically added to the AD container Computers. During the
container
architecture design, the security administrator will use this Computers
container to move computers to the EPAS Infrastructure containers
(learn more in "Active Directory Management" on page 18).

Domain Domain Controllers is a default container. It contains the name of the

4 Controllers computer that drives the domain controller. In the example and
container throughout this document, the name of the server is AD01.

Electrical Electrical System is a specific container with the EPAS infrastructure.

5 System This is the OU created in our example to contain the EPAS project
container Organizational Units (OUs) .

Security System is a specific container with the EPAS security policies.

Security
This is the OU created in our example to contain other OU sub-
6 System
containers to set specific security polices (WSUS, user accounts,
container
backup and restore, etc).

OUs
OUs can contain other OUs. Use OUs to configure specific policies
7 sub-
based on sites, groups of users or computers.
containers
Computers During the architecture design, the security administrator will move
8 sub- computers from the Computer container (see topic 3 of this table) to
containers OUs sub-containers.

EPAS CS-AD/EN AN/E50.1 15

4 Active Directory in an EPAS Infrastructure EPAS Cyber Security - Active Directory and GPO management

4.1.1 Security Groups

The following security groups are recommended to be created in the Active Directory of an EPAS
project:

Security
AD Container Description Members
Group
This group is in charge of administrating
Administration user accounts (creation, modification, SecurityAdmin
SECADM
Group deletion) defines security policy and access (User)
and analyze security logs.
This Group has administrator right of the
Installer
INSTALLER system. This group has Windows remote
(User)
access right.
An engineer has Windows user standard
right. In order to start/stop the software
Engineer
ENGINEER application, user has to access to the
(User)
operating system of automation
component, reboot automation component.
An operator has Windows user standard
ACS Group right. In order to start/stop the software
Operator
OPERATOR application, user has to access to the
(User)
operating system of automation
component.
This Group has a special group policy
including Auto Log on feature. This group is
Viewer
automatically log after computer start-up.
VIEWER (User)
No file system is available.

This group has Windows user standard

rights.

16 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 4 Active Directory in an EPAS Infrastructure

4.1.2 Group Membership

The following memberships are recommended to be set in the Active Directory of an EPAS
project:

Learn how to add members to a group in "How to create Groups" on page 26

Security Group Members

Administrators INSTALLER
(Windows default) SECADM

Users ENGINEER
(Windows default) OPERATOR

VIEWER

Remote Desktop Group INSTALLER

(Windows default) SECADM

4.1.3 Group Policy

CIS Compliance GPO are the minimum Group Policies to be applied to an EPAS project (learn
more in "EPAS GPOs" on page 35). The user can add others based on project needs:

Group Policies Applied Description

CIS Microsoft Windows 10 Enterprise (EWS) -
W10-1809_C_Security Compliance_CIS
Computers
W10-1809_S_Security Compliance_CIS CIS Microsoft Windows 10 Enterprise (EWS)
CIS Microsoft Windows 10 Enterprise (EWS) -
W10-1809_U_Security Compliance_CIS
Users
WS19-1809_C_DC_Security Compliance_ CIS Microsoft Windows Server 2019 (DC) -
CIS Computers
WS19-1809_S_DC_Security Compliance_
CIS Microsoft Windows Server 2019 (DC)
CIS
WS19-1809_U_DC_Security Compliance_
CIS Microsoft Windows Server 2019 (DC) - Users
CIS
CIS Microsoft Windows Server 2019 (WSUS) -
WS19-1809_C_Security Compliance_CIS
Computers
CIS Microsoft Windows Server 2019 (WSUS -
WS19-1809_U_Security Compliance_CIS
Users

EPAS CS-AD/EN AN/E50.1 17

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5 Active Directory Management

This section helps the operator get started, build and administrate the Active Directory structure of
an EPAS infrastructure.

In this manual, Windows Sever 2019 and Microsoft's directory, Active Directory, are used to build
the EPAS directory structure, but the user can choose a different server and directory service
provider.

NOTE: To manage the Active Directory the user can choose other third-party software.

5.1 Process Overview

This table resumes the phases to create and configure the Active Directory structure of an EPAS
infrastructure.

NOTE: Please follow the order of the steps provided in the table below.

Phase Name Operations

Check whether the equipment, applications and configurations
required for Active Directory management are implemented and
operational on the EPAS infrastructure network.

The Security Administrator needs to check:

• Computers Synchronization: all the computers on the network
1 Prerequisites are synchronized (time synchronization).
• Active Directory Management tools availability (for Windows
Server Active Directory Domain Services, Active Directory
Users and Computers and Group Policy Management tools).
• The Central Security Server (Windows Server 2019 in our
example) is operational with an Active Directory set up.
Creating Build the Active Directory database:
Active
2 • Create all EPAS OUs, Users, Groups and Computers on the
Directory
Structure Domain.

GPO
3 Install and apply EPAS GPO official delivery.
Managment

EPAS CS-AD/EN AN/E50.1 18

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

5.2 Prerequisites - Phase 1

This section provides requirements to be met before starting to create your EPAS project active
directory and group policy.

5.2.1 Computer Synchronization

For security reasons and optimal operation, all the computers to be added to the Active Directory,
as well as the Central Security Server (in our example Windows Server) need to be synchronized
(time synchronization).

5.2.2 Getting Installed Active Directory Management Tools

NOTE:
Following procedures are given for Windows Server 2019.
Remote Server Administration Tools (RSAT) for Windows Server 2019 is the tool chosen to
manage the Active Directory server in our example but the user can choose other third-party
software.

To manage the Active Directory on the Central Security Server, we will be using the following
Active Directory Management tools:
• Active Directory Domain Services (ADDS) for setting up the Security Domain Controller.

• Active Directory Users and Computers (ADUC) for the Active Directory organization.

• Group Policy Management Console (GPMC) for the management of the Global Policy
Objects (GPOs).

5.2.2.1 Install the Active Directory Domain Services

• From Windows Server Manager, go to Manage > Add Roles and Features and select
Role-based or feature-based installation.
• In Server Roles, check the box Active Directory Domain Services, then in the pop-up
check the box Include management tools (if applicable) and click Add Features. Click
Next until you get to the Confirm installation selections window, then click Install.

5.2.2.2 Install Active Directory Users and Computers (if missing or to be tuned)

NOTE: With Windows Server 2019, Active Directory Users and Computers is setup by
default with Active Directory Domain Services but needs to be tuned.

To tune the setup of this tool, run the following procedure:

• From Windows Server Manager, go to Manage > Add Roles and Features and select
Role-based or feature-based installation.
• In Server Roles, click Next.

19 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

• In Features, check the box Remote Server Administration Tools, expand Role
Administration Tools and check all sub-features of AD DS and AD LDS Tools, then click
Next. Finally, in Confirm installation selections window, click Install.

5.2.2.3 Install Group Policy Management (if missing)

NOTE: With Windows Server 2019, Group Policy Management is setup by default with Active
Directory Domain Services.

If the setup of this tool is missing, run the following procedure:

• From Windows Server Manager, go to Manage > Add Roles and Features and select
Role-based or feature-based installation.
• In Server Roles, check the box Group Policy Management and click Next. In Confirm
installation selections window, click Install.

The Active Directory Management Tools can now be found under the Tools menu in the
Server Manager application.

For more information on these tools, you can visit Microsoft > Docs > Remote Server
Administration Tools or RSAT features on demand.

5.2.3 Setting up the Active Directory in the Security Server

NOTE: The Central Security Server (e.g. Window Server) needs to be synchronized with the
devices on the network.

The following procedure is given for Windows Server 2019.

5.2.3.1 Before you begin

The following actions are required:
• Log in to the server with Administrator rights.

• Change the server name to match your project requirements. In our example it will be named
AD01.

On the Server Manager console, go to Local Server, click Computer name, click
Change and in the Computer Name/Domain Changes window, in Computer name
type the name for the server (e.g. AD01) and click OK. Then OK, Close at the System
Properties window, then finally click Restart Now.
• Setup server with a static IP address:

On the Server Manager console, go to Local Server, click Ethernet, right-click on the
Ethernet adapter icon and select Properties.

In Ethernet Properties, select Internet Protocol Version 4 (TCP/IPv4) and click

Properties.

EPAS CS-AD/EN AN/E50.1 20

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

In Internet Protocol Version 4 (TCP/IPv4) Properties select Use the following DNS
server addresses and enter the same IP address defined in the Use the following IP
address > IP address (this is the server IP address).

5.2.3.2 Promoting the server to a Domain Controller

• On the Server Manager console, go to Manage > Promote this server into a domain
controller. This will lead you automatically to the Active Directory Domain Services
Configuration Wizard.
• In the Deployment Configuration window, in Select the deployment operation, choose
the option that suits to your project, typically Add a new forest and define the Root domain
name (e.g. emcs.local in this document).

In Domain Controller Options, leave checked boxes Domain Name System (DNS) server
and Global Catalog (GC) and define a Directory Services Restore Mode (DSRM)
password.
• In Additional Options, in The NetBIOS domain name box, enter the same name as the
Root domain name (i.e., emcs.local).
• Select a folder where to store the Database, Log files and SYSVOL.

• In Review Options, if you agree with your selections, click again Next and if the
Prerequisites Check is successfully you can click Install.
• Once installation finished, the server restarts automatically.

• Now, in your Windows Server login window instead of user Administrator, it will show
EXAMPLE/Administrator since the server has been promoted as a Domain Controller.
• On the Server Manager console, go to Tools menu and select Active Directory Users and
Computers to open this tool. You can see that the Domain Controller emcs.local has been
created:

21 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5.3 Creating Active Directory Structure - Phase 2

RECOMMENDATION: For security reasons, before creating the EPAS Active Directory
structure, it is recommended to create at least one Windows local administrator account in all the
computers part of the EPAS project.

Once the domain controller promoted, you can start building your active directory tree composed
of OUs, Users, Computers and Groups.

Learn how in the following sections:

How to create OUs

How to create Computers

How to create Users

How to create Groups

5.3.1 How to create OUs

You can create OUs based on:
• The geographical site representation.

• The network site representation.

• A mix of both geographic and network site representation.

• Other approaches.

Step Instructions
From Windows Server Manager, start the Active Directory Users and Computers
1
tool.

EPAS CS-AD/EN AN/E50.1 22

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

Step Instructions
• Select the domain name emcs.local, right-click and select New >
Organizational Unit:

• Type a name for the new OU and click OK. In our example, we are creating an OU
for our EPAS project root infrastructure (e.g. Electrical System) :

• Repeat the operation to create as many OU containers as needed:

• You can also create OUs inside an existing OU.

23 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5.3.2 How to create Computers

All the computers on the EPAS Infrastructure network have to be added to the domain controller
(EPAS-UI, EPAS-Gateway, EWS and so).

EPAS Gateway Computer must be created within the domain controller before installing EPAS
Gateway software application, since the EPAS Gateway installer must be also a EPAS Gateway
user.

To add computers to the domain controller, follow the steps below (several options are
proposed):

Option Instructions
Adding a computer using control panel:
• Run the command sysdm.cpl. to open the System Properties control panel.

• In the Computer Name tab, click Change.

• In the Computer name box, enter a name for the computer you are adding (e.g
GTW_T101). Then, select Domain and enter the name of the domain controller to
add the computer to (e.g. emcs.local).
• You will be asked to enter the credentials of a user account with permissions to
1
add this computer to the domain.
• If successfully added to the domain, a new AD computer object will be shown in
the Computers default container.
• Now, move the added computer from the Computer container to the OUs sub-
container you want (e.g., Computers, Security System, etc). See How to move a
computer object from one container (OU) to another.
• The computer needs to be restarted for the changes to take effect.

Adding a computer using Windows Settings:

2 Go to Start > Settings > Accounts > Access Work or School option and follow the
instructions.

EPAS CS-AD/EN AN/E50.1 24

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

Option Instructions
Adding a computer using command-line with Windows PowerShell:

If you have many computers to add to a domain, this option could be helpful.

You can learn how to run Windows PowerShell in Micosoft > Docs > Starting Windows
PowerShell

1. In the PowerShell console, run the Add-Computer cmdlet. This cmdlet adds a
computer to the specified domain.
3 2. Specify the domain name to add the computer to with the DomainName
parameter

3. Optionally specify the Restart parameter to automatically restart the computer

when finished .

Add-Computer -DomainName DomainName -Restart

To learn more, you can visit Microsft > Docs > Miccrosoft PowerShell Management >
Add Computer

5.3.2.1 How to move a computer object from one container (OU) to another

Step Instructions
From Windows Server Manager, start the Active Directory Users and Computers
1
tool.
• In the OU where the computer to be moved is located, select the computer object
and right-click on it, then select Move...
2
• In the Move window, select the OU where you want to move the object, then click
OK.

5.3.3 How to create Users

You can create users within OUs:

Step Instructions
From Windows Server Manager, start the Active Directory Users and Computers
1
tool.
• Select the OU under which you want to create the new user account, right-click
2 and select New > User and fill up the information for the new user.
• Set a password for the new user account and click Finish

25 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5.3.3.1 How to move a user object from one container (OU) to another:

Step Instructions
From Windows Server Manager, start the Active Directory Users and Computers
1
tool.
• In the OU where the user to be moved is located, select the user object and right-
click on it, then select Move...
2
• In the Move window, select the OU where you want to move the object, then click
OK.

5.3.4 How to create Groups

You can create Security Groups to which you can add users, computers and other groups which
require the same rights.

Learn more about Security Groups in Microsoft / Docs / Security / Identity and access protection

Step Instructions
From Windows Server Manager, start the Active Directory Users and Computers
1
tool.
• Select the OU under which you want to create the new group (e.g. Users), right-
click and select New > Group and fill up the new group name.
• Then, click OK:

To add users to a group you can:

• Select the particular group, right-click on it and select Properties. Then, go to the
Members tab and use the Add button to add users to the group.
• Or, select t a particular user you want to add to a group, right-click on it and select
3
Add to a group to add the user to the particular group.
• Or, select t a particular user you want to add to a group, right-click on it and select
Properties. Then, go to the Member of tab to select the particular group you want
the user to be added.

EPAS CS-AD/EN AN/E50.1 26

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

5.4 EPAS GPO Management - Phase 3

Once the EPAS Active Directory has been configured, and the computers and all the elements on
the EPAS network are bound to the AD, the next step is setting up Group Policies.

This section describes generic procedures to help the operator to get started and administrate the
Group Policy Objects (GPOs) in the Active Directory of an EPAS infrastructure:
• GPO Rules

• How to Create a GPO and Edit GPO Settings

• How to Link an OU to an Existing GPO

• How to Backup, Restore GPOs and Import GPOs Policies

• How to Apply EPAS GPOs

5.4.1 GPO Rules

Before you start creating and managing the GPOs in your Active Directory structure, it is
important to know the following rules related to GPO Choice, Application order, Link order and
Inheritance:

What How
GPO The security administrator needs to apply GPOs to the created domain and
Choice OUs.
Once created, the GPOs are applied in LSDOU order.

LSDOU stands for (1) Local, (2) Site, (3) Domain, (4) OUs:

Local policies: GPO computer is the first one created when the computer is
GPO installed. These policies are going to be applied first.
Application
Order Site policies: GPOs linked to site are applied next.

Domain policies: GPOs linked to the Active Directory Domain apply next.

Organizational Unit policies: GPOs linked to Active Directory OUs are applied
next (parent OU first and child OU after).

27 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

What How
Link Order

If several GPOs are linked to an OU, the GPOs are applied in what is known as
the Link order. Which means that the GPO with a link order of 1 has the highest
precedence, followed by link order 2 and so on.

So in the example below, the GPO ALL_C_Disable UAC_v1.0 will apply before
ALL_C_Disable_W32TM and then the ALL_C_FW_Rules Allow IEC61850_
V1.0 and so on.

To change the GPO link order use the arrows on the left-hand side of the
screen to move the GPO up or down in the list.

GPO
Link order /
Inheritance

Inheritance

GPOs applied to a domain, site or OU are inherited by child containers.

The inheritance can be blocked (enabled/disabled), so that a GPO applied in a

parent OU will not be inherited by a child OU.

5.4.2 How to Create a GPO and Edit GPO Settings

5.4.2.1 Create a GPO
The Security Administrator can create Group Policy Objects (GPO) in the Active Directory.

The GPOs for a a standard EPAS project are provided to help the user start a typical EPAS Active
Directory structure, however GPOs need to be configured in accordance with project needs.

See EPAS GPOs provided in "EPAS GPOs" on page 35.

To create a GPO, follow the instructions provided in the table below:

EPAS CS-AD/EN AN/E50.1 28

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

Step Instructions
From Windows Server Manager, start the Group Policy Management (GPMC)
1
tool.
• Go to container Group Policy Objects in Group Policy Management > Forest:
emcs.local > Domains > emcs.local

• Click Action, then click New

• In the New GPO text box, type the name for the new group (e.g. Firewall GTW)

• Click OK to save changes and the new GPO will appear on AD tree.

5.4.2.2 Edit GPO Settings

The Security Administrator can edit the GPOs settings and apply policies:

Step Instructions
From Windows Server Manager, start the Group Policy Management (GPMC)
1
tool.
• Go to container Group Policy Objects in Group Policy Management > Forest:
emcs.local > Domains > emcs.local:

2 • Select a GPO, go to Action or right-click it, then select Edit...

• The Group Policy Management Editor opens to let you define Policies and
Preferences in Computer Configuration and User Configuration.

29 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5.4.3 How to Link an OU to an Existing GPO

The Security Administrator can link a particular OU to an existing Group Policy Objects (GPO).

To link an OU to an existing GPO, follow the instructions provided in the table below:

Step Instructions
1 From Windows Server Manager, start the Group Policy Management (GPMC) tool.
• Go to container Group Policy Objects in Group Policy Management > Forest:
emcs.local > Domains > emcs.local
• Right-click the OU container you want to link to an existing GPO and select Link an
Existing GPO...

• In the Group Policy objects list, select the GPO to link and click OK

EPAS CS-AD/EN AN/E50.1 30

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

5.4.4 How to Backup, Restore GPOs and Import GPOs Policies

5.4.4.1 Backup GPOs
To backup GPOs, follow the instructions provided in the table below:

Step Instructions
1 From Windows Server Manager, start the Group Policy Management (GPMC) tool.
• Go to container Group Policy Objects in Group Policy Management > Forest:
emcs.local > Domains > emcs.local
• Right-click the group that contains the GPOs to backup (e.g. Group Policy Objects)
and select Back Up All...

• In Location, browse to select the folder where to store the backup and enter a
Description (e.g. Test or Backup as on 26th January):

• Finally, click Back up

31 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5.4.4.2 Restore GPOs

To restore Group Policy Objects , follow the instructions provided in the table below:

Step Instructions
From Windows Server Manager, start the Group Policy Management (GPMC)
1
tool.

EPAS CS-AD/EN AN/E50.1 32

5 Active Directory Management EPAS Cyber Security - Active Directory and GPO management

Step Instructions
• Go to container Group Policy Objects in Group Policy Management > Forest:
emcs.local > Domains > emcs.local
• Method 1

To restore a previous version of a GPO:

Expand the Group Policy Objects container, right-click the GPO to restore and
from the menu select Restore from Backup... The Restore GPO Wizard will
display, follow the instructions to restore the GPO.
• Method 2

To restore a deleted GPO:

Right-click Group Policy Objects container and select Manage Backups...

From the Backed up GPOs list, select the GPO you deleted and click Restore:

33 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 5 Active Directory Management

5.4.4.3 Import GPO Policies

Importing Settings can be useful when creating a new GPO and you want to have the same
policy settings as those of an existing GPO. Also, you can import into an existing GPO the policy
settings of another existing GPO (see the note below in such a case).

NOTE: Import settings into an existing GPO will permanently delete this GPO's existing settings.
Therefore, consider to first backup the existing GPO.

Step Instructions
From Windows Server Manager, start the Group Policy Management (GPMC)
1
tool.
• Go to container Group Policy Objects in Group Policy Management > Forest:
emcs.local > Domains > emcs.local
• Create or select the GPO where you want to import the settings of an existing
2 GPO. Right-click on it or go to Action and select Import Settings...
• Follow the Import Setting Wizard.

• When finished, you can open the GPO and in the Settings tab, in User
Configuration > Policies, you can check for the imported policies.

5.4.5 How to Apply EPAS GPOs

Refer to next chapter "EPAS GPOs" on page 35.

EPAS CS-AD/EN AN/E50.1 34

6 EPAS GPOs EPAS Cyber Security - Active Directory and GPO management

6 EPAS GPOs
This section describes how to deploy the set of GPOs provided by Schneider Electric to be
applied to the devices and software applications within an EPAS security network.

This set of GPOs helps ensure the conformity with Microsoft baseline recommendations in terms
of security settings and is in compliance with the Center for Internet Security (CIS) benchmark.

The following CIS benchmarks assessments have been performed to help ensure the continuous
compliance of the GPOs and the reports with the results are provided within the EPAS GPO
delivery package:
• CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0 (Level 1 -
Corporate/Enterprise Environment (general use)) - Security Configuration Assessment
Report for OIS_SERVER.
• CIS Microsoft Windows Server 2019 Benchmark v1.3.0 (Level 1 - Domain Controller) -
Security Configuration Assessment Report for AD01.
• CIS Microsoft Windows Server 2019 Benchmark v1.3.0 (Level 1 - Member Server) -
Security Configuration Assessment Report for WSUS01.

The GPO rules will be updated regularly, depending on the security needs of the project.

This set of GPOs has been tested on a typical EPAS System, and it has been validated that
applying these GPOs has no impact on the electrical process.

The detailed descriptions of the EPAS GPOs are available in the All_GPO.html file provided in
the EPAS GPOs delivery package.

6.1 How to install EPAS GPO

The instructions in this chapter assume that the Group Policy Management tool for the
management of the Global Policy Objects (GPOs) is already installed on the Domain Controller. If
it is not the case, please refer to "Install Group Policy Management (if missing)" on page 20 topic.

The EPAS GPOs are delivered in a zip file called SE_GPO_CIS_L1_ Delivery_V_X.X_
DDMMYYYY.zip where VX.X is the version, and DDMMYYYY is the production date:

1. Unzip the EPAS GPO file

First of all, unzip the delivery zip file on your domain controller (where GPO will be set).

Then, you will get a folder structure as shown in the image below:

NOTE: Unzip the package in a path without any blanks.

35 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 6 EPAS GPOs

This table displays the folders contained in the EPAS GPO delivery package and provides a
description of each:

Folder Description
This folder contains the offline installer of Microsoft Edge
00_Edge Pro Offline Entreprise to replace Internet Explorer as web browser.

You have to install it manually on each computer.

This folder contains a file with the script to import the EPAS
01_Import_GPO GPOs into the Group Policy Management console, and a sub-
folder with the EPAS GPOs library delivered.
This folder contains a file with the script to export the GPOs
02_Export script from the Group Policy Management console for backup
purpose.
This folder contains: this documentation and the CIS L1
reports folder with 3 sub-folders by Operating System. Each
sub-folder contains an xls file with the deviations from the CIS
compliance and remarks.

Also, it contains the All_GPO.html file with the details of all the
03_Documentation GPOs provided:

This is the baseline provided by Schneider Electric at N-1 GPO

04_Backup GPO N-1
delivery.

2. Uninstall Internet Explorer

Remove Internet Explorer from all the Windows computers.

To uninstall Internet Explorer on Windows, go to the Application menu, then Manage

Optional features, and choose Uninstall Internet Explorer 11.

EPAS CS-AD/EN AN/E50.1 36

6 EPAS GPOs EPAS Cyber Security - Active Directory and GPO management

3. Backup your GPOs

Before importing the new set of GPOs, it is recommended to backup the GPOs already
installed.

To backup your current GPOs, go to 02_Export script folder and right-click on Export-
SEGPO.ps1 script, then choose Run with PowerShell:

PowerShell opens and asks for the location path where you want to store the backup.

Provide the location path (without blanks) and press Enter.

A new folder will be created inside called GPOBackup_YYYYMMDD where YYYY is the
current year, MM is the current month, and DD is the current day.

All your GPO will be stored there:

You can also produce an html report with all your GPOs using the following command from a
PowerShell console (Path is the location where you want to export the report, e.g.
C:\temp\GPO.html):

PS C:\Windows\system32> Get-GPOReport -All -ReportType Html -Path

C:\temp\GPO.html

A report is already provided within the Documentation folder.

4. Install Microsoft Edge

For security reasons, the GPO will disable Internet Explorer, therefore you need to install
MS Edge Professional web browser on your computers (if not already done). The MS
Edge updates will be managed by WSUS.

To install Microsoft Edge Professional, go to the 00_Edge Pro Offline folder, execute
the Windows MSI installer and simply follow the default installation options.

37 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 6 EPAS GPOs

5. Import EPAS GPO

Once you have backed up your current GPO, you can import the new set of GPOs.

To import EPAS GPOs, go to 01_import_GPO folder and right-click on it, then select Run
with PowerShell:

In the PowerShell, provide the location path (without blanks) where the GPO to import are
(e.g., C:\GPO\GPO_Delivery\01_Import_GPO\Template_GPOs_SEF):

cmdlet Import-SEGPO.ps1 at command pipeline position 1

Supply values for the following parameters:
Path.: C:\GPO\GPO_Delivery\01_Import_GPO\Template_GPOs_SEF

The new set of GPOs will be imported. However, they are not applied yet (see next step):

EPAS CS-AD/EN AN/E50.1 38

6 EPAS GPOs EPAS Cyber Security - Active Directory and GPO management

6. Apply EPAS GPO

NOTE: Before applying EPAS GPOs to the domain controller, create a second account
with Administrator rights (i.e. create a user with the same rights as the Administrator built-in
account).

Once a second user account with Administrator rights is created, go to Windows Server
Manager and open the Group Policy Management tool:

In Group Policy Objects and depending on your needs and on your architecture, right click
on the GPO you want to deploy and select Copy:

Go to your domain forest and simply paste the GPO where you want it to be applied:

39 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 6 EPAS GPOs

6.2 How to update EPAS GPOs

By default, GPOs will be automatically updated every 90 minutes.

If you want to update them before, you can execute gpupdate command on a dos console on the
machines concerned:

c:\Users\Administrator>gpupdate
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

c:\Users\Administrator

6.3 EPAS GPO Organization Example

The images below illustrate an example of the Active Directory organization of an EPAS project
with GPOs implemented:

EPAS CS-AD/EN AN/E50.1 40

6 EPAS GPOs EPAS Cyber Security - Active Directory and GPO management

Forest

41 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 6 EPAS GPOs

GPOs applied to domain

GPOs applied to the domain controller

GPOs applied to the computers within the Electrical System OU

EPAS CS-AD/EN AN/E50.1 42

6 EPAS GPOs EPAS Cyber Security - Active Directory and GPO management

GPOs applied to the computers within the Security System OU

43 EPAS CS-AD/EN AN/E50.1

EPAS Cyber Security - Active Directory and GPO management 7 Glossary

7 Glossary
Item Definition
Active Directory is a directory service that Microsoft developed for Windows
domain networks. The purpose of Active Directory is to provide centralized
Active Directory authentication and authentication services to a network of computers using
(also AD) the Windows system. It also allows for the allocation and enforcement of
policies, the distribution of software, and the installation of updates by
administrators
Active Directory Users and Computers. It is a tool from RSAT allows to
ADUC
configure the Global Policy Objects (GPOs)
ACS Schneider Electric Protection & Control
Active Directory objects represent the physical entities that make up a
Active Directory network. Object is either container object or leaf object. A container object
Object stores other objects and a leaf object does not store other objects, and, as
such, it occupies the endpoint of a sub-tree.
Active Directory The Active Directory structure allows for organizing computers and users into
Structure logical groupings at various hierarchical levels.
It is a forward-thinking nonprofit that harnesses the power of a global IT
community to safeguard public and private organizations against cyber
CIS threats.
Source: https://www.cisecurity.org/

A domain is a form of a computer network in which all user accounts,

Domain computers and devices are registered with a central database located on one
or more clusters of central computers known as domain controllers.
A server running Active Directory Domain Services is called a domain
Domain
controller that responds to security authentication requests (logging in,
Controller
checking permissions).
DC Domain Controller.
Group defined for Active Directory is a type of AD object and contains a set of
Group
users. This is equivalent to Role definition for EPAS Application.
A feature of the Microsoft Windows operating systems that controls the
working environment of user accounts and computer accounts. Group Policy
Group Policy
provides the centralized management and configuration of operating
systems, applications, and users' settings in an Active Directory environment.
Group Policy Management Console. It is a RSAT tool allows to configure the
GPMC
Active Directory organization.
Group Policies
Containers of Group Policy settings define for Windows Authorization.
Object
GPO Group Policies Object.

EPAS CS-AD/EN AN/E50.1 44

7 Glossary EPAS Cyber Security - Active Directory and GPO management

Item Definition
Web Gateway
Web Gateway Administration Tool. The WebGAT software allows the
Administation
operator to administrate the EPAS Gateway.
Tool
Local Site Domain Organizational Objects. GPOs, once created, are applied
LSDOU in a standard order: LSDOU, which stands for (1) Local, (2) Site, (3) Domain,
(4) OU, with the later policies being superior to the earlier applied policies.
Allow to set up logical divisions within a domain, similar to sub-domains. To
Organizational
configure specific Policies based on sites, user or computers or groups of
Unit
users.
OU Organizational Unit
EPAS EcoStruxure Power Automation System
Remote Server Administration Tools. A Windows component for remote
RSAT
management of other computers also running that operating system.
Security
A user of the system granted to manage its security.
Administrator
Security Database containing all Cybersecurity related information. Both RBAC and
database security settings are stored in this database.
A security group can include users and workstations. However, there is a
difference. OUs act as containers of objects (such as users and
Security Groups
workstations), whereas security groups are a collection of attributes that can
be assigned to an object.

45 EPAS CS-AD/EN AN/E50.1

Schneider Electric
35 rue Joseph Monier
92500 Rueil Malmaison
France

+33 (0) 1 41 29 70 00

https://www.se.com

As standards, specifications, and designs change from time to time,

please ask for confirmation of the information given in this publication.

© 2010 - 2022 Schneider Electric. All Rights Reserved..

EPAS CS-AD/EN AN/E50.1