Improving System Security
If you are security-conscious, there are a few steps you can take to improve the security of your ARDI system.
Firewalls
Above all other suggestions that appear below, we suggest that those customers who prioritise security should place hardware firewalls between any PC system (not just your ARDI server) and your OT network.
Operating systems such as Windows and Linux are made up of many distinct parts with potential security flaws, so the best way to ensure safety is to make sure that these devices simply can't communicate to any system they are not expected to.
User Security
Even though ARDI doesn't have the ability to write data using its drivers, it's always a good idea to ensure that any application accessing data only has the permissions it needs to do its job.
For example, ARDI systems should usually only have read access on any data sources it uses.
Change Service Permissions
Although the Linux version of ARDI is secure-by-default, the Windows version ships in a slightly less secure way, since the system needs the ability to launch services during setup.
After your ARDI database is configured and running, you can run your ARDI services under more secure user accounts.
We suggest creating three local users for different classes of service…
| User | Services | Description |
|---|---|---|
| ardi_web | Apache2 | A user for the ARDI main web server |
| ardi_db | mysqld | A user for the ARDI MariaDB database |
| ardi_service | misc | A user for ARDI services and drivers |
Web User
The web user needs read access to the ARDI installation folder and write access to the sites and install folder.
Assuming you've installed ARDI into C:\ARDI, you should set the following permissions…
| Folder | Permission |
|---|---|
| C:\ARDI\ | Read |
| C:\ARDI\web\sites | Full Access |
| C:\ARDI\log | Full Access |
| C:\Python310\ | Read |
| C:\Windows\Temp | Full Access |
The Apache2 service should run as this user.
Database User
The database user only needs read/write access to the database file(s).
| Folder | Permission |
|---|---|
| C:\ARDI\log | Full Access |
| C:\ARDI\mysql\ | Read Access |
| C:\ARDI\mysql\data | Full Access |
The MariaDB or MySQL services should run under this account.
Service User
The service user needs access to any file(s) that need to be accessed by your ARDI drivers.
You can configure specific drivers with their own Windows users when integrating with systems that use Windows domain-user authentication.
| C:\ARDI\drivers\ | Read |
| C:\ARDI\web\sites | Read |
| C:\Python310\ | Read |
| C:\Windows\Temp | Full Access |
| C:\ARDI\log | Full Access |
All other ARDI services (such as the alarm services, drivers and consolidators) should use this user account.