As a PI administrator, I need to baseline the security configuration of my PI System to ensure OSIsoft security best practices are followed.
Below is a list of requested features.
Baseline verification (read-only) for PI Data Archive:
- PI Data Archive Table Security - examines the database security of the PI Data Archive and flag any ACLs that contain access for PIWorld as weak.
- PIADMIN role - verify that the piadmin PI user is not used in any mappings or trusts.
- PI Data Archive Version - verify that the PI Data Archive is using the most recent release.
- Tuning parameters (Expensive Query Protection, archive data modification protection - EditDays) - verifies that the PI Data Archive has protection against expensive queries and that EditDays parameter is set.
- Auto Trust Configuration - verifies that the autotrustconfig tuning parameter is set to create either no trusts or a trust for the loopback automatically (127.0.0.1).
- Explicit Login Disabled - verifies that explicit login is disabled as an authentication protocol.
- PI Server Service Principal Name (SPN) configuration - verifies that the PIServer SPN exists and is assigned to the correct AD principal.
- PI Collective - verifies that the PI Data Archive is a member of a High Availability Collective.
- PI Firewall Used - verifies that PI Firewall is used.
- PI Backup Configured - ensures that PI Backups are configured and current.
Baseline configuration for PI Data Archive (via Powershell DSC configuration):
- Disable PIWorld PI identity
- Restrict use of the piadmin superuser
- Specify EditDays and Expensive query protection tuning parameters
- Auto Trust configuration
- Diable Explicit Login authentication
- Enable PI Firewall
- Create custom identities, map them to selected AD groups, and configure PI Database security appropriately.
