As a PI administrator, I need to baseline the security configuration of my PI System to ensure OSIsoft security best practices are followed.

Below is a list of requested features.

Baseline verification (read-only) for PI Data Archive:
- PI Data Archive Table Security - examines the database security of the PI Data Archive and flag any ACLs that contain access for PIWorld as weak.
- PIADMIN role - verify that the piadmin PI user is not used in any mappings or trusts.
- PI Data Archive Version - verify that the PI Data Archive is using the most recent release.
- Tuning parameters (Expensive Query Protection, archive data modification protection - EditDays) - verifies that the PI Data Archive has protection against expensive queries and that EditDays parameter is set.
- Auto Trust Configuration - verifies that the autotrustconfig tuning parameter is set to create either no trusts or a trust for the loopback automatically (127.0.0.1).
- Explicit Login Disabled - verifies that explicit login is disabled as an authentication protocol.
- PI Server Service Principal Name (SPN) configuration - verifies that the PIServer SPN exists and is assigned to the correct AD principal.
- PI Collective - verifies that the PI Data Archive is a member of a High Availability Collective.
- PI Firewall Used - verifies that PI Firewall is used.
- PI Backup Configured - ensures that PI Backups are configured and current.

Baseline configuration for PI Data Archive (via Powershell DSC configuration):
- Disable PIWorld PI identity
- Restrict use of the piadmin superuser
- Specify EditDays and Expensive query protection tuning parameters
- Auto Trust configuration
- Diable Explicit Login authentication
- Enable PI Firewall
- Create custom identities, map them to selected AD groups, and configure PI Database security appropriately.

In our environment we have an archive Collective and 2 AF servers coordinated by a network load balancer. The Tests should support a system with load balanced AF servers.

It appears, that even if you set the value AFServer in app.config to one of the 2 AF servers, the pre-checks will still fail if the local instance of System Explorer is connected to AF using the load balancer as the host. I get errors such as these (PIAF is the name of the load balancer).

OSIsoft.PISystemDeploymentTests.PreliminaryChecks.CheckRtqpEngineServiceTest [STARTING]

  System.InvalidOperationException : Cannot open Service Control Manager on computer 'PIAFTest'. This operation might require other privileges.

  ---- System.ComponentModel.Win32Exception : The RPC server is unavailable

  Stack Trace:

       at System.ServiceProcess.ServiceController.GetDataBaseHandleWithAccess(String machineName, Int32 serviceControlManaqerAccess)

       at System.ServiceProcess.ServiceController.GetDataBaseHandleWithConnectAccess()

       at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)

       at System.ServiceProcess.ServiceController.GenerateStatus()

       at System.ServiceProcess.ServiceController.get_Status()

    D:\Installation Kits\PI System Deployment Tests\source\Common\Utils.cs(38,0): at OSIsoft.PISystemDeploymentTests.Utils.CheckServiceRunning(String machineName, String serviceToCheck, ITestOutputHelper output)

    D:\Installation Kits\PI System Deployment Tests\source\PreliminaryChecks\PreliminaryChecks.cs(151,0): at OSIsoft.PISystemDeploymentTests.PreliminaryChecks.CheckRtqpEngineServiceTest()

    ----- Inner Stack Trace -----


  Output:

    Check service [PISqlDas.Rtqp] running on [PIAFTest].

OSIsoft.PISystemDeploymentTests.PreliminaryChecks.CheckRtqpEngineServiceTest [FINISHED] Time: 4.6971298s