Table of Contents
ERDS & G2G Workstation Configuration
Once you have acquired your ERDS and/or G2G workstation and/or created your ERDS and/or G2G Virtual Machine, a variety of tasks must be performed to prepare the workstation to be used with CeRTNA’s ERDS and/or G2G platform.
These tasks include:
| Task | Description |
|---|---|
| Physically Secure The Workstation (Standalone workstations only.) | Certified ERDS workstations must be physically secured. Per CeRTNA’s HW / SW, CeRTNA recommends using a locking workstation security cabinet that can be secured to a wall or floor. . G2G workstations are not required to be kept in a locking security cabinet, however, many CeRTNA clients do secure their G2G workstations as well. . Notes regarding Virtual Machine (VM) installation are provided further down in this document. |
| Workstation Configuration | ERDS workstations and/or Virtual Machines need to pass a system security audit in order to be certified for transmitting ERDS transactions. This document provides recommendations on how to configure a variety of operating system components on your local workstations, including Windows Update settings, Local Security Policy settings, and Anti-Virus/Malware Protection settings. . G2G workstations are not subject to a system security audit, however CeRTNA recommends applying the same settings to your G2G workstation as recommended for your ERDS workstation. . Additional workstation configuration details are provided later in this document. |
| Network / Firewall Configuration | Per regulations, certified ERDS workstations and/or Virtual Machines are expected to be secured for the ‘sole use’ purpose of electronic recording activity. CeRTNA’s ERDS infrastructure is accessible over the Internet, as such, workstations must restrict access to only domains that are required to facilitate the functionality provided in the APEX client. A list of the domains that are used by APEX are listed further down in this document. . Additional network configuration details are provided provided later in this document. |
| Software Installation | There is a limited amount of software that needs to be installed. Currently these include: . - SafeNet Authentication Client (SAC) - APEX . APEX is CeRTNA’s client application software that is used to interact with the CeRTNA ERDS & G2G platforms. . The SafeNet Authentication Client (SAC) contains USB token drivers and APEX uses the token drivers to access the token based PKI certificates that are used for authentication, digital signatures, and encryption/decryption functions. . Additional software installation details are provided later in this document. |
Workstation Configuration
You will need to determine if your users are going to login to the ERDS or G2G workstation or VM's using a domain login account or a local login account. If you choose to use a local user account you will need to create the user accounts using Windows Computer Management feature which is accessible via the Windows Control Panel/Administrative Tools in Windows 10 or the Control Panel/Window Tools in Windows 11.
You will also need to determine whether your organization is going to manage the various security settings for the workstation or VM using Group Policy or Local Security Policy or a combination of both. CeRTNA does not have strict rules on which method you use. We have customers that use both methods effectively.
Once your workstation is installed, complete the following tasks:
- Disable the local Guest account.
- Rename the local Administrator user account.
- Ensure the anti-virus/anti-malware software is installed. Note: Windows Defender is built into the Windows 10 and Windows 11 operating systems.
- Ensure that a local Windows Firewall is running on the ERDS/G2G workstation. Some 3rd party antivirus solutions override the built-in Windows Firewall and this is acceptable as long as the firewall is enabled and protecting the computer.
Update the following Local System Settings
Please Note: The following settings are just recommendations from CeRTNA. If your organizational policy uses slightly different settings, the security auditor will accept your settings as long as they are deemed to be reasonable and secure.
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Account Policies\Password Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Account Policies\Password Policy
| Setting | Value |
|---|---|
| Enforce password history | 5 |
| Maximum password age | 30 |
| Minimum password age | 1 |
| Minimum password length | 8 |
| Password must meet complexity requirements | Enabled |
| Store passwords using reversible encryption | Disabled |
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Account Policies\Account Lockout Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Account Policies\Account Lockout Policy
| Setting | Value |
|---|---|
| Account lockout duration | 60 mins |
| Account lockout threshold | 3 invalid logon attempts |
| Reset account lockout counter after | 60 mins |
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Local Policies\Audit Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Local Policies\Audit Policy
- Select all items for audit of success and failure.
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Local Policies\Security Options
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Local Policies\Security Options
| Setting | Value |
|---|---|
| Accounts:Guest account status | Disabled |
| Accounts:Rename administrator account | {New Name} |
| Accounts:Rename administrator account | {New Name} |
Path (Win10): Control Panel\System and Security\Windows Defender Firewall\Customize Settings (See note)
Path (Win11): Control Panel\System\Privacy & security\Windows Security
| Setting | Value |
|---|---|
| Private network settings | Turn on Windows Defender Firewall |
| Public network settings | Turn on Windows Defender Firewall |
| Setting | Value |
|---|---|
| Private network settings | Turn on Windows Firewall |
| Public network settings | Turn on Windows Firewall |
Note: CeRTNA does not require any custom firewall rules to be applied. The only requirement is that a local workstation based firewall is enabled with the default settings. Organizations that have a product like Symantec Endpoint Protection will use the Symantec Endpoint Protection firewall, which will disable the Windows Firewall. Regardless of the local firewall that is used, you will need to show the auditor that the firewall for private and public networks is enabled.
Path (Windows 10): Control Panel\System\Windows Update
Path (Windows 11): Control Panel\System\Windows Update
By default Windows 10/11 Updates are enabled. Verify the Windows Update History to show that the updates are being applied.
Control Panel\All Control Panel Items\Power Options\System Settings
| Setting | Value |
|---|---|
| Require a password on wakeup | Selected |
Path (Windows 10): Control Panel\Settings\Lock Screen\Screen saver settings
Path (Windows 11): Control Panel\System\Personalization\Lock Screen
| Setting | Value |
|---|---|
| On resume, display logon screen | Enabled |
Anti-Virus Configuration
Anti-virus/Anti-malware software must be installed on your ERDS & G2G workstations. Windows 10 and Windows 11 both include Windows Defender. Your organization may be using an alternative 3rd party software product, for example, Symantec Endpoint Protection, McAfee Anti-Virus, AVG Anti-Virus, Trend Micro Anti-Virus, or any of the other myriad of commercial anti-virus products available. CeRTNA accepts your organizations solution for anti-virus/anti-malware protection, however, you must be able to show a security auditor that the anti-virus/anti-malware software is active and show that both quick and/or full scans are being completed on a regular basis.
If you are using Windows 10/11 Defender, you will need to have your anti-virus and anti-malware settings enabled. If you are using a 3rd party product, such as Symantec Endpoint Protection or AVG Anti-Virus protection, you will need to show the auditor equivalent settings that show that the computer is being protected with anti-virus/anti-malware software, the version information for the software and the virus definition files, the scan frequency, and a history showing the scans are being performed.
Windows 10/11 Defender Settings
To manage the Windows 10/11 Defender settings, launch the Windows Defender Security Center. You can click the Start menu button and then start typing Windows Defender Security Center and as you type you will see the program listed in the filtered search list. Click the Windows Defender Security Center app to start the application.
Option: Virus & Threat Protection / Threat History
| Setting | Value |
|---|---|
| Confirm files are being scanned. | Note Last Scan Date |
Option: Virus & Threat Protection / Virus & threat protection settings
| Setting | Value |
|---|---|
| Real-time protection. | On |
| Cloud-delivered protection. | On |
| Automatic sample submission. | Optional |
| Controlled folder access. (Default: None) | Optional |
| Exclusions. (Default: None) | Optional |
| Notifications | All On & Checked |
Option: Virus & Threat Protection / Virus & threat protection updates
| Setting | Value |
|---|---|
| Threat definition version. | Current |
| Version created on. | Current |
| Last update. | Current |
Option: Virus & Threat Protection / Ransomware Protection
| Setting | Value |
|---|---|
| Controlled folder access. | On |
Option: Firewall & Network Protection: (Default inbound/outbound rules are sufficient.)
| Setting | Value |
|---|---|
| Domain network. | On |
| Private network. | On |
| Public network. | On |
The following options are not managed in the Windows Defender Security Center
From the Start Menu, type Settings to launch the Windows Settings app.
Option: Personalization / Lock screen / Screen saver settings
| Setting | Value |
|---|---|
| Screen Saver: Wait time. | 10 minutes |
| Screen Saver: On resume, display logon screen. | On |
The following configuration item is still under review because it is only achievable using the gpedit console.
| Setting | Value |
|---|---|
| Scan archive files. | On |
| Scan removable drives. | On |
| Create a system restore point. | On |
| Allow all users to view the full History reports. | On |
Network/Firewall Configuration
As per regulations, the ERDS & G2G workstations are required to be for the 'sole-use' function of electronic recording. To that end, CeRTNA requires that the sites accessible by the ERDS & G2G workstations are restricted. There are different ways that this can be accomplished including:
- Via organizational firewall rules.
- Via local workstation network/proxy settings.
- Via a password controlled access lists.
Your organizations IT staff will be able to assist with this configuration item.
APEX communicates using SSL port 443 (https) and some communications take place using port 80 (http). The following table contains a list of hosts that must be reachable in order for APEX to be installed or be used after the installation:
| Host | IP Address | Description |
|---|---|---|
| dev-ws02.certna.org | 204.246.133.236 | APEX installation |
| apex-setup.certna.org | 204.246.133.236 | APEX installation |
| apex-prd.certna.org | 204.246.133.237 | APEX production ERDS web |
| apex-prd.certnag2g.org | 209.170.199.196 | APEX production G2G web |
| reports.certna.org | 204.246.133.238 | APEX production ERDS reports |
| reports.certnag2g.org | 209.170.199.202 | APEX production G2G reports |
| *.digicert.com | * | PKI certificates (Note 2) |
| *.ssl.com | * | Code Signing certificate (Note 2) |
| *.godaddy.com | * | SSL certificates (Note 2) |
CeRTNA no longer interfaces with Entrust, therefore, the references to *.entrust.com and *.entrust.net shown above have been stricken out.
Note 1: CeRTNA recognizes that different firewalls are in service at our customers and that firewall features functions can vary broadly. CeRTNA prefers to minimize the amount of IT administrative support required by creating rules based on the following tolerance and/or capabilities of your firewall:
- Use wildcard domains if possible. (Ex: *.certna.org or *.certnag2g.org)
- Use host names if possible. (Ex: apex-prd.certna.org or reports.certna.org)
- Last resort, use IP addresses.
The preceding list is sorted in order of preference.
Note 2: Several digital certificates are used in support of CeRTNA/APEX, these include SSL certificates, PKI certificates for digital signatures, PKI certificates for encryption/decryption, and code-signing certificates. The CeRTNA APEX application uses core WCF & .NET functionality to verify that the PKI certifcates are still valid and have not expired. Further, during the APEX installation/update process, the code-signing certificate is validated. The lower level WCF & .NET API's communicate using port 80 for OCSP and CRL certificate validation functions. It is important that your firewall team take this into consideration.
Workstation Support
In addition to the locations listed above, there are some additional hosts that you also want to allow in order to facilitate the retrieval of Windows Updates and for CeRTNA remote support.
| Host | IP Address | Description |
|---|---|---|
| *.microsoft.com | * | Top-level Microsoft domain, to avoid issues with Windows functionality. (Note 3) |
| *.update.microsoft.com | * | General Windows update domain. |
Configuring the firewall rules for Windows Updates and other fundamental OS support, for example, virus definition files for Endpoint Protection or other 3rd party system management tools is the responsibility of your organizations IT staff. The information provided in the preceding table is here simply point out that there are additional URL's that may need to be accommodated beyond those that are required for APEX and/or CeRTNA functionality.
Note 3: Support for Teams meetings and screensharing is also required for remote support of the APEX software.
Software Installation
SafeNet Authentication Client Installation
These installation instructions are for the SafeNet Authentication Client 10.8
SafeNet Authentication Client
The following items should be taken into consideration before installing the SafeNet Authentication Client:
- If you are using APEX and do not plan to send or retrieve transactions using the CeRTNA APEX client you do not need to install the SafeNet Authentication Client.
- If you are using a CeRTNA G2G workstation you do not need to install the SafeNet Authentication Client.
- Important: If you plan to use your CeRTNA G2G workstation as a backup to your CeRTNA ERDS workstation, you should install the SafeNet Authentication Client on your CeRTNA G2G workstation.
CeRTNA uses SafeNet USB tokens for ‘two-factor authentication’. These tokens require drivers to be installed in order to recognize the token. Currently CeRTNA is supporting two different types of tokens, the SafeNet iKey 4000 token and the SafeNet 5100 eToken.
The current version of the Entrust SafeNet Authentication Client software can be downloaded from the following URL:
https://knowledge.digicert.com/general-information/how-to-download-safenet-authentication-client
This zip file is approximately 20 MB in size.
Important Note: If you currently have another version of the SafeNet Authentication Client installed you will need to use the Windows Control Panel to uninstall the older version, before installing an updated version of the SafeNet Authentication Client software.
To install the SafeNet Authentication Client 10.8 software make sure your token is NOT plugged in.
Run the downloaded Installer (E.G. SafeNetAuthenticationClient-x64.msi) to start the setup process.
The following window is displayed:
Click the Next button to continue.
The following window is displayed:
You can leave the 'Use the existing configuration settings' checkbox selected.
Click the Next button to continue.
The following window is displayed:
Click on the I accept the license agreement radio button.
Click on the Next button to continue.
The following window is displayed:
Use the default program location for the destination folder.
Click on the Next button to continue.
Click the Typical radio button.
Click the Next button.
The following confirmation window will be displayed:
Click the Install button to start the installation.
You will see a User Access Control (UAC) prompt requesting permission to install the software. Select Yes to allow the software to be installed.
The following window is displayed while the installation progresses:
When the installation completes, the following window is displayed:
Click the Finish button.
You will see a new 'S' icon in your taskbar. (Lower right area of your screen.) As shown below. The icon will appear dimmed out, until your SafeNet token is inserted.
Token Installation
To use the CeRTNA APEX application for submitting or retrieving transactions on your ERDS workstation, customers must complete a fingerprint/background check. Once this process is complete and the approval paperwork has been provided to CeRTNA staff a SafeNet token will be mailed to you. The token will contain your DigiCert PKI certificate, which is used for digital signing and encryption/decryption functionality.
After you receive your SafeNet token, insert the token into an available USB port on your system. The token will be automatically recognized and linked to the SafeNet driver.
Once the device driver is successfully linked to your SafeNet token, the 'S' icon will appear illuminated as shown in the picture below:
This completes the Token Installation.
APEX Client Installation
APEX is based on the Microsoft “Click-Once” software architecture. This means that the installation files are accessed over the Internet. Once the installation completes, APEX communicates with the following URLs:
ERDS: https://apex-prd.certna.org (204.246.133.237)
G2G: https://apex-prd.certnag2g.org (209.170.199.196)
Please be sure to check with your IT department to ensure that your workstation has access to both the installation URLs and the operational URLs as outlined.
To be able to initiate the installation process you must be able to communicate with following URL: https://dev-ws02.certna.org/APEX/Setup/index.html (209.170.199.194). If you are able to reach the installation site, you will be presented with the screen that is shown below.
If you are not presented with the page that is shown below, it may be due to firewall restrictions, your anti-virus software, and/or your organizations workstation security policy. You will need to reach out to your local IT support staff if you have difficulty accessing the APEX installation site or run into other issues trying to install APEX.
It should also be noted that the APEX software is signed with a code-signing certificate to prove it is from a trust vendor, California Electronic Recording Transaction Network Authority. This certificate is validated by servers located by the entrust.net Certification Authority (CA). If the certificate cannot be verified, it could prevent the installation of the software.
Click the Install button. You should see the following prompt at the bottom of the browser window:
Click the Run button.
Applications that are installed over the Internet should be signed so that you know that the application software is distributed by a trusted source. The following Application Install Security Warning is displayed:
Optionally, you can display the CeRTNA Code Signing Certificate by clicking the link labeled California Electronic Recording Transaction Network Authority. If you click the link, the following panel is displayed to so CeRTNA's code signing certificate information:
When you are finished viewing the certificate details, click the Ok button to close the window.
From the Application Install Security Warning window, click the Install button. The APEX application will be installed and a progress window will be displayed as shown below:
Once the installation completes, the APEX client application will automatically launch as shown below:
This completes the APEX Installation process. Please be sure to read the APEX Getting Started Guide before you attempt to use APEX.