Improving System Security

If you are security-conscious, there are a few steps you can take to improve the security of your ARDI system.

Firewalls

Above all other suggestions that appear below, we suggest that those customers who prioritise security should place hardware firewalls between any PC system (not just your ARDI server) and your OT network.

Operating systems such as Windows and Linux are made up of many distinct parts with potential security flaws, so the best way to ensure safety is to make sure that these devices simply can't communicate to any system they are not expected to.

User Security

Even though ARDI doesn't have the ability to write data using its drivers, it's always a good idea to ensure that any application accessing data only has the permissions it needs to do its job.

For example, ARDI systems should usually only have read access on any data sources it uses.

Change Service Permissions

Although the Linux version of ARDI is secure-by-default, the Windows version ships in a slightly less secure way, since the system needs the ability to launch services during setup.

After your ARDI database is configured and running, you can run your ARDI services under more secure user accounts.

We suggest creating three local users for different classes of service…

UserServicesDescription
ardi_webApache2A user for the ARDI main web server
ardi_dbmysqldA user for the ARDI MariaDB database
ardi_servicemiscA user for ARDI services and drivers
Web User

The web user needs read access to the ARDI installation folder and write access to the sites and install folder.

Assuming you've installed ARDI into C:\ARDI, you should set the following permissions…

FolderPermission
C:\ARDI\Read
C:\ARDI\web\sitesFull Access
C:\ARDI\logFull Access
C:\Python310\Read
C:\Windows\TempFull Access

The Apache2 service should run as this user.

Database User

The database user only needs read/write access to the database file(s).

FolderPermission
C:\ARDI\logFull Access
C:\ARDI\mysql\Read Access
C:\ARDI\mysql\dataFull Access

The MariaDB or MySQL services should run under this account.

Service User

The service user needs access to any file(s) that need to be accessed by your ARDI drivers.

You can configure specific drivers with their own Windows users when integrating with systems that use Windows domain-user authentication.

C:\ARDI\drivers\Read
C:\ARDI\web\sitesRead
C:\Python310\Read
C:\Windows\TempFull Access
C:\ARDI\logFull Access

All other ARDI services (such as the alarm services, drivers and consolidators) should use this user account.