This is an old revision of the document!
Table of Contents
ERDS & G2G Workstation Configuration
Once you have acquired your ERDS and/or G2G workstation, a variety of tasks must be performed to prepare the workstation to be used with CeRTNA’s ERDS and/or G2G platform. These tasks include:
| Task | Description |
|---|---|
| Physically Secure The Workstation | Certified ERDS workstations must be physically secured. Per CeRTNA’s HW / SW, CeRTNA recommends using a locking workstation security cabinet that can be secured to a wall or floor. . G2G workstations are not required to be kept in a locking security cabinet, however, many CeRTNA clients do secure their G2G workstations as well. |
| Workstation Configuration | ERDS workstations need to pass a system security audit in order to be certified for transmitting ERDS transactions. This document provides recommendations on how to configure a variety of operating system components on your local workstations, including Windows Update settings, Local Security Policy settings, and Anti-Virus/Malware Protection settings. . G2G workstations are not subject to a system security audit, however CeRTNA recommends applying the same settings to your G2G workstation as recommended for your ERDS workstation. . Additional workstation configuration details are provided later in this document. |
| Network / Firewall Configuration | Per regulations, certified ERDS workstations are expected to be secured for the ‘sole use’ purpose of electronic recording activity. CeRTNA’s ERDS infrastructure is accessible over the Internet, as such, workstations must restrict access to only domains that are required to facilitate the functionality provided in the APEX client. A list of the domains that are used by APEX are listed further down in this document. . Additional network configuration details are provided provided later in this document. |
| Software Installation | There is a limited amount of software that needs to be installed. Currently these include: . - SafeNet Authentication Client (SAC) - APEX - Microsoft Baseline Security Analyzer (MBSA) . APEX is CeRTNA’s client application software that is used to interact with the CeRTNA ERDS & G2G platforms. . The SafeNet Authentication Client (SAC) contains USB token drivers and APEX uses the token drivers to access the token based PKI certificates that are used for authentication, digital signatures, and encryption/decryption functions. . The Microsoft Baseline Security Analyzer (MBSA) is a tool produced by Microsoft that analyzes your workstation configuration to determine its level of security. It checks a variety of conditions, for example, are any Windows Updates missing, is the firewall on, do any users have non-expiring passwords, etc. . Additional software installation details are provided later in this document. |
| Generate MBSA Report | An MBSA report is required for the intial installation of both the ERDS & G2G workstations and an updated MBSA report for both the ERDS & G2G workstations must be submitted to CeRTNA annually. |
Workstation Configuration
Once your workstation is installed, complete the following tasks:
- Create individual user accounts (non-admin) for the users that are or will be authorized to use the CeRTNA ERDS workstation.
- Disable the local Guest account.
- Ensure the anti-virus/anti-malware software is installed. Note: Windows Defender is built into the Windows 10 operating system
Update the following Local System Settings
Please Note: The following settings are just recommendations from CeRTNA. If your organizational policy uses slightly different settings, the security auditor will accept your settings as long as they are deemed to be reasonable and secure.
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Account Policies\Password Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Account Policies\Password Policy
| Setting | Value |
|---|---|
| Enforce password history | 5 |
| Maximum password age | 30 |
| Minimum password age | 1 |
| Minimum password length | 8 |
| Password must meet complexity requirements | Enabled |
| Store passwords using reversible encryption | Disabled |
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Account Policies\Account Lockout Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Account Policies\Account Lockout Policy
| Setting | Value |
|---|---|
| Account lockout duration | 60 mins |
| Account lockout threshold | 3 invalid logon attempts |
| Reset account lockout counter after | 60 mins |
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Local Policies\Audit Policy
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Local Policies\Audit Policy
- Select all items for audit of success and failure.
Path (Windows 10): Control Panel\Administrative Tools\Local Security Policy\Local Policies\Security Options
Path (Windows 11): Control Panel\Windows Tools\Local Security Policy\Local Policies\Security Options
| Setting | Value |
|---|---|
| Accounts:Guest account status | Disabled |
| Accounts:Rename administrator account | {New Name} |
| Accounts:Rename administrator account | {New Name} |
Path (Win10): Control Panel\System and Security\Windows Defender Firewall\Customize Settings (See note)
Path (Win11): Control Panel\System\Privacy & security\Windows Security
| Setting | Value |
|---|---|
| Private network settings | Turn on Windows Defender Firewall |
| Public network settings | Turn on Windows Defender Firewall |
| Setting | Value |
|---|---|
| Private network settings | Turn on Windows Firewall |
| Public network settings | Turn on Windows Firewall |
Note: CeRTNA does not require any custom firewall rules to be applied. The only requirement is that a local workstation based firewall is enabled with the default settings. Organizations that have a product like Symantec Endpoint Protection will use the Symantec Endpoint Protection firewall, which will disable the Windows Firewall. Regardless of the local firewall that is used, you will need to show the auditor that the firewall for private and public networks is enabled.
Path (Windows 10): Control Panel\System\Windows Update
Path (Windows 11): Control Panel\System\Windows Update
By default Windows 10/11 Updates are enabled. Verify the Windows Update History to show that the updates are being applied.
Control Panel\All Control Panel Items\Power Options\System Settings
| Setting | Value |
|---|---|
| Require a password on wakeup | Selected |
Path (Windows 10): Control Panel\Settings\Lock Screen\Screen saver settings
Path (Windows 11): Control Panel\System\Personalization\Lock Screen
| Setting | Value |
|---|---|
| On resume, display logon screen | Enabled |
Anti-Virus Configuration
Anti-virus/Anti-malware software must be installed on your ERDS & G2G workstations. Microsoft has 2 product offerings to protect your workstation Microsoft Security Essentials (Windows 7) and Windows Defender (Windows 10). Your organization may be using an alternative 3rd party software product, for example, Symantec Endpoint Protection, McAfee Anti-Virus, AVG Anti-Virus, Trend Micro Anti-Virus, or any of the other myriad of commercial anti-virus products available. CeRTNA accepts your organizations solution for anti-virus/anti-malware protection, however, you must be able to show a security auditor that the anti-virus/anti-malware software is active and show that both quick and/or full scans are being completed on a regular basis.
If you are using Windows 10/11 Defender, you will need to have your anti-virus and anti-malware settings enabled. If you are using a 3rd party product, such as Symantec Endpoint Protection or AVG Anti-Virus protection, you will need to show the auditor equivalent settings that show that the computer is being protected with anti-virus/anti-malware software, the version information for the software and the virus definition files, the scan frequency, and a history showing the scans are being performed.
Windows 10/11 Defender Settings
To manage the Windows 10/11 Defender settings, launch the Windows Defender Security Center. You can click the Start menu button and then start typing Windows Defender Security Center and as you type you will see the program listed in the filtered search list. Click the Windows Defender Security Center app to start the application.
Option: Virus & Threat Protection / Threat History
| Setting | Value |
|---|---|
| Confirm files are being scanned. | Note Last Scan Date |
Option: Virus & Threat Protection / Virus & threat protection settings
| Setting | Value |
|---|---|
| Real-time protection. | On |
| Cloud-delivered protection. | On |
| Automatic sample submission. | Optional |
| Controlled folder access. (Default: None) | Optional |
| Exclusions. (Default: None) | Optional |
| Notifications | All On & Checked |
Option: Virus & Threat Protection / Virus & threat protection updates
| Setting | Value |
|---|---|
| Threat definition version. | Current |
| Version created on. | Current |
| Last update. | Current |
Option: Virus & Threat Protection / Ransomware Protection
| Setting | Value |
|---|---|
| Controlled folder access. | On |
Option: Firewall & Network Protection: (Default inbound/outbound rules are sufficient.)
| Setting | Value |
|---|---|
| Domain network. | On |
| Private network. | On |
| Public network. | On |
The following options are not managed in the Windows Defender Security Center
From the Start Menu, type Settings to launch the Windows Settings app.
Option: Personalization / Lock screen / Screen saver settings
| Setting | Value |
|---|---|
| Screen Saver: Wait time. | 10 minutes |
| Screen Saver: On resume, display logon screen. | On |
The following configuration item is still under review because it is only achievable using the gpedit console.
| Setting | Value |
|---|---|
| Scan archive files. | On |
| Scan removable drives. | On |
| Create a system restore point. | On |
| Allow all users to view the full History reports. | On |
Network/Firewall Configuration
As per regulations, the ERDS & G2G workstations are required to be for the 'sole-use' function of electronic recording. To that end, CeRTNA requires that the sites accessible by the ERDS & G2G workstations are restricted. There are different ways that this can be accomplished including:
- Via organizational firewall rules.
- Via local workstation network/proxy settings.
- Via a password controlled access lists.
Your organizations IT staff will be able to assist with this configuration item.
Software Installation
SafeNet Authentication Client Installation
These installation instructions are for the SafeNet Authentication Client 10.8
SafeNet Authentication Client
The following items should be taken into consideration before installing the SafeNet Authentication Client:
- If you are using APEX and do not plan to send or retrieve transactions using the CeRTNA APEX client you do not need to install the SafeNet Authentication Client.
- If you are using a CeRTNA G2G workstation you do not need to install the SafeNet Authentication Client.
- Important: If you plan to use your CeRTNA G2G workstation as a backup to your CeRTNA ERDS workstation, you should install the SafeNet Authentication Client on your CeRTNA G2G workstation.
CeRTNA uses SafeNet USB tokens for ‘two-factor authentication’. These tokens require drivers to be installed in order to recognize the token. Currently CeRTNA is supporting two different types of tokens, the SafeNet iKey 4000 token and the SafeNet 5100 eToken.
The current version of the Entrust SafeNet Authentication Client software can be downloaded from the following URL:
https://knowledge.digicert.com/general-information/how-to-download-safenet-authentication-client
This zip file is approximately 20 MB in size.
Important Note: If you currently have another version of the SafeNet Authentication Client installed you will need to use the Windows Control Panel to uninstall the older version, before installing an updated version of the SafeNet Authentication Client software.
To install the SafeNet Authentication Client 10.8 software make sure your token is NOT plugged in.
Run the downloaded Installer (E.G. SafeNetAuthenticationClient-x64.msi) to start the setup process.
The following window is displayed:
Click the Next button to continue.
The following window is displayed:
You can leave the 'Use the existing configuration settings' checkbox selected.
Click the Next button to continue.
The following window is displayed:
Click on the I accept the license agreement radio button.
Click on the Next button to continue.
The following window is displayed:
Use the default program location for the destination folder.
Click on the Next button to continue.
Click the Typical radio button.
Click the Next button.
The following confirmation window will be displayed:
Click the Install button to start the installation.
You will see a User Access Control (UAC) prompt requesting permission to install the software. Select Yes to allow the software to be installed.
The following window is displayed while the installation progresses:
When the installation completes, the following window is displayed:
Click the Finish button.
You will see a new 'S' icon in your taskbar. (Lower right area of your screen.) As shown below. The icon will appear dimmed out, until your SafeNet token is inserted.
Token Installation
To use the CeRTNA APEX application for submitting or retrieving transactions on your ERDS workstation, customers must complete a fingerprint/background check. Once this process is complete and the approval paperwork has been provided to CeRTNA staff a SafeNet token will be mailed to you. The token will contain your DigiCert PKI certificate, which is used for digital signing and encryption/decryption functionality.
After you receive your SafeNet token, insert the token into an available USB port on your system. The token will be automatically recognized and linked to the SafeNet driver.
Once the device driver is successfully linked to your SafeNet token, the 'S' icon will appear illuminated as shown in the picture below:
This completes the Token Installation.
APEX Client Installation
APEX is based on the Microsoft “Click-Once” software architecture. This means that the installation files are accessed over the Internet. Once the installation completes, APEX communicates with the following URLs:
ERDS: https://apex-prd.certna.org (204.246.133.237)
G2G: https://apex-prd.certnag2g.org (209.170.199.196)
Please be sure to check with your IT department to ensure that your workstation has access to both the installation URLs and the operational URLs as outlined.
To be able to initiate the installation process you must be able to communicate with following URL: https://dev-ws02.certna.org/APEX/Setup/index.html (209.170.199.194). If you are able to reach the installation site, you will be presented with the screen that is shown below.
If you are not presented with the page that is shown below, it may be due to firewall restrictions, your anti-virus software, and/or your organizations workstation security policy. You will need to reach out to your local IT support staff if you have difficulty accessing the APEX installation site or run into other issues trying to install APEX.
It should also be noted that the APEX software is signed with a code-signing certificate to prove it is from a trust vendor, California Electronic Recording Transaction Network Authority. This certificate is validated by servers located by the entrust.net Certification Authority (CA). If the certificate cannot be verified, it could prevent the installation of the software.
Click the Install button. You should see the following prompt at the bottom of the browser window:
Click the Run button.
Applications that are installed over the Internet should be signed so that you know that the application software is distributed by a trusted source. The following Application Install Security Warning is displayed:
Optionally, you can display the CeRTNA Code Signing Certificate by clicking the link labeled California Electronic Recording Transaction Network Authority. If you click the link, the following panel is displayed to so CeRTNA's code signing certificate information:
When you are finished viewing the certificate details, click the Ok button to close the window.
From the Application Install Security Warning window, click the Install button. The APEX application will be installed and a progress window will be displayed as shown below:
Once the installation completes, the APEX client application will automatically launch as shown below:
This completes the APEX Installation process. Please be sure to read the APEX Getting Started Guide before you attempt to use APEX.
Microsoft Baseline Security Analyzer Installation
These installation instructions are for the Microsoft Baseline Security Analyzer version 2.3
Microsoft Baseline Security Analyzer (MBSA) Tool
There are two different types of MBSA tools available and the one you will install will be dependent on the type of workstation you are installing the tool on. There is a 64-bit version and a 32-bit version of the MBSA tool.
The 64-bit version can be downloaded from the following URL:
https://admin.certna.org/Downloads/MBSA23x64.zip
The 32-bit version can be downloaded from the following URL:
https://admin.certna.org/Downloads/MBSA23x86.zip
This zip files are approximately 1.3 MB in size.
Important Note: If you currently have another version of the Microsoft Baseline Security Analyzer installed, you should uninstall the older version, before installing an updated version of the software.
Important: Microsoft has ended support for the MBSA tool, which is why CeRTNA has the software available for download directly from our website. In the future, CeRTNA plans to replace the MBSA tool with another security analyzer, but until further notice, we will continue to use Microsoft Baseline Security Analyzer version 2.3 for our security scanning/reporting needs.
Unzip either the MBSA23x64.zip or the MBSA23x86.zip file to a working directory, for example C:\MBSA_Setup or a name of your choosing.
Once the zip file has been extracted open the MBSA23x64 or MBSA23x86 folder:
Double-click the MBSASetup-x64-EN.msi or MBSASetup-x86-EN.msi program icon to start the setup process.
The following window is displayed:
Click the 'I accept the license agreement' radio button.
Click the Next button to continue.
The following window is displayed:
Accept the default setting for the Destination Folder.
Click the Next button to continue.
The following confirmation window is displayed:
Click the Install button to continue.
You will see a User Access Control (UAC) prompt requesting permission to install the software. Select Yes to allow the software to be installed.
The installation process completes very quickly. During the installation, a status window is displayed for few seconds. Once the installation completes, the following window is displayed:
Click the Ok button to close the window.
A new icon labeled Microsoft Baseline Security Analyzer 2.3 will be present on your Windows Desktop. You can double-click the icon to run the MBSA tool when you need to analyze your system or generate a report. Using the tool is covered in the next section.
MBSA Reporting
After you have your ERDS and/or G2G workstations set up, software installed and configured, you will need to run the Microsoft Baseline Security Analyzer (MBSA) tool and send a clean MBSA report to CeRTNA. A clean MBSA report for both the ERDS & G2G workstations must be delivered to CeRTNA annually. Email notifications will be sent out each year, requesting the report.
Note: It is recommended that you run your Windows Update process prior to running the MBSA tool. This ensures that the updates installed on your computer will match the update catalog that the MBSA tool retrieves from Microsoft.
To generate an MBSA report, start the Microsoft Baseline Security Analyzer 2.3 program. The following screen is displayed:
Click Scan a computer
The following screen is displayed:
You can accept all the default selections.
Click the Start Scan button.
The MBSA tool will retrieve the latest update catalog from Microsoft and compare it to the updates that have been installed on your computer. It will also check a variety of other security settings, such as any incomplete software installations, multiple Administrator accounts, any users with weak or non-expiring passwords, any browser vulnerabilities, etc.
The analysis can take several minutes. While the MBSA tool is analyzing your workstation, a status panel is displayed, similar to the following:
When the analysis process completes, the MBSA tool will display a report that highlights results of the scan. The report should look similar to the following:
If your report results do not have a Green shield at the top of the report, you will need to review the report details to determine any issues that need to be resolved. Issues that have a Red icon next to them, indicate a serious issue that needs to be resolved. A Yellow shield is a Warning indicator, letting you know there is something you should consider addressing. Blue icons are listed strictly as informational and do not impact the CeRTNA reporting process.
For some MBSA Report troubleshooting tips, you can view the document MBSA Troubleshooting Tips.
In most cases, the typical issue that needs to be resolved is incomplete Windows Security Updates.
Each reporting line item has two and possibly three of the following:
- What was scanned
- Result details
- How to correct this
If you do not have a Green 'Strong Security' shield at the top of your report, review and attempt to resolve the items that are flagged. As you correct each of the items, you can re-run the MBSA tool to obtain an updated report.
If you have a Green 'Strong Security' shield at the top of the report, you can click the 'Print this report' link that is on the bottom of the page and print the report to either a PDF printer or to Microsoft's XPS printer format. CeRTNA will accept either format. Send the printed report to your CeRTNA contact via e-mail.