Professional Documents
Culture Documents
CybersecurityGuidelines DESIGOCC V5x
CybersecurityGuidelines DESIGOCC V5x
CybersecurityGuidelines DESIGOCC V5x
0
Cybersecurity Guidelines
Application Guide
2 | 58 Restricted A6V11646120_en_d_50
8 Intended operating environment and application options .................... 36
8.1 Single station in highly protected zone ...................................................... 36
8.1.1 SL2 requirements for single station deployment.......................... 37
8.2 Client/server with local intranet web server................................................ 38
8.2.1 SL2 requirements for local client/server deployment ................... 39
8.3 Client/server with remote intranet web server ............................................ 40
8.3.1 SL2 requirements for client/server deployment with remote intranet
web server ................................................................................. 41
8.4 Client/server with remote internet access using FlexClient ........................ 42
8.4.1 SL2 requirements for client/server deployment with remote internet
access using FlexClient.............................................................. 43
8.5 Client/server in distributed solutions .......................................................... 44
8.5.1 Distributed system configurations ............................................... 46
8.6 Virtual environment ................................................................................... 47
9 Recommended System Hardening ........................................................ 48
9.1 Hardening Windows server ....................................................................... 48
9.2 Hardening firewall ..................................................................................... 53
9.3 Hardening system server .......................................................................... 54
9.4 Hardening system client ............................................................................ 56
9.5 Hardening notification application .............................................................. 56
10 Maintenance of IT Components ............................................................. 57
A6V11646120_en_d_50 Restricted 3 | 58
About this document 1
Applicable Documents
NOTICE
Missing information
Damage due to misuse
● This document must be available in a usable format throughout the entire life
cycle of the product. Keep the document for reference and ensure that it can
be accessed by target groups.
Should you require another copy of this document, please contact the Customer
Support Center, phone +49 89 9221-8000.
This document contains guidelines and conditions for Desigo CC and describes
permitted applications for the intended operational environment.
Security-related information for the system operator, relating to maintaining
security throughout the life cycle of the system, is found in Maintenance of IT
Components.
Scope
The information contained in this document is valid for Desigo CC V5.0.
Target groups
The information in this document is intended for the following target groups:
A6V11646120_en_d_50 Restricted 5 | 58
1 About this document
Applicable Documents
Document identification
The document ID is structured as follows:
ID code Examples
ID_languageCOUNTRY_ modification index A6V10215123_deDE_a
-- = multilingual or international A6V10215123_en--_a
A6V10315123_----_a
6 | 58 Restricted A6V11646120_en_d_50
About this document 1
Applicable Documents
Date format
The date format in the document corresponds to the recommendation of
international standard ISO 8601 (format YYYY-MM-DD).
Presentation conventions
Text markups
Special text markups are used as follows in this document:
2.
The 'i' symbol identifies additional information and tips to simplify the procedure.
The layout of the PDF version of this document was generated automatically. For
this reason, line breaks may occasionally occur within words, e.g., in text in
tables. Page breaks have been generated with rules but have not been optimized
in context.
A6V11646120_en_d_50 Restricted 7 | 58
1 About this document
Download center
Document ID Title
IEC 62443-3-3 Industrial communication networks – Network and system
security Part 3-3: System security requirements and security
levels
ISO/IEC 27032 Information technology – Security techniques – Guidelines for
cybersecurity
ISO/IEC 27033 Information technology – Security techniques – Network
Part 1…6 security
ISO/IEC 27034 Information technology – Security techniques – Application
Part 1…6 security
You will also find information about search variants and links to mobile
applications (apps) for various systems on the home page.
8 | 58 Restricted A6V11646120_en_d_50
Technical terms and abbreviations 2
A6V11646120_en_d_50 Restricted 9 | 58
2 Technical terms and abbreviations
Term Explanation
V1.1 are out-of-date versions that do not support modern
cryptographic algorithms, and they contain security
vulnerabilities that may be exploited by attackers. Newer
V1.2 and V1.3 must be used.
TPM Trusted Platform Module. TPM (ISO/IEC 11889) is an
international standard for a crypto-processor, an electronic
component designed to secure hardware through integrated
cryptographic keys.
UDP User Datagram Protocol. UDP is a transaction-oriented
transfer protocol with no delivery and duplicate protection.
Applications requiring ordered reliable delivery of streams of
data should use the TCP.
VLAN Virtual LAN. VLAN is any broadcast domain that is
partitioned and isolated in a computer network at the data
link layer (OSI layer 2).
VLANs work by applying tags to network frames and
handling these tags in networking systems – creating the
appearance and functionality of network traffic that is
physically on a single network but acts as if it is split
between separate networks.
In this way, VLANs can keep network applications separate
despite being connected to the same physical network, and
without requiring multiple sets of cabling and networking
devices to be deployed.
WSI Desigo CC Web Service Interface.
VPN Virtual Private Network
10 | 58 Restricted A6V11646120_en_d_50
IT Security Notices 3
End of the Life Cycle (EOL)
3 IT Security Notices
Responsibility of the system operator
The information technology (IT) used in a system is the responsibility of the system
operator.
Specifications for IT security are also put into effect through country-specific
legislation. You must observe the country-specific legislation when planning and
commissioning.
Siemens products are developed and produced in compliance with the relevant
European and international safety standards. Should additional country-specific or
local security standards or legislation concerning IT security apply at the place of
operation, you must apply these in addition to the guidelines and the permitted
applications in this document.
For example, the 'European Union Agency for Cybersecurity'
www.enisa.europsa.eu provides information on basic IT security in Europe:
https://www.enisa.europa.eu/topics/cybersecurity-education.
For Germany, the 'Federal Office for Information Security' (BSI)
www.bsi.bund.de/EN provides information on basic IT security in both German and
English.
Further links: www.cisecurity.org
NOTICE
Modified Security Risks in the Life Cycle of the System
Additional security risks
● You must log compliance with the specifications. See Maintenance of IT
Components [➙ 57].
A6V11646120_en_d_50 Restricted 11 | 58
4 Cybersecurity basics
Introduction to cybersecurity
4 Cybersecurity basics
This section provides a basic overview of cybersecurity. If you are not familiar with
this subject area, make sure to read and understand concepts and definitions that
are presented in the following subsections.
12 | 58 Restricted A6V11646120_en_d_50
Cybersecurity basics 4
System security, roles, and responsibilities
A6V11646120_en_d_50 Restricted 13 | 58
5 Cybersecurity throughout the life cycle of the system
Installation and commissioning
NOTICE
The system operator is responsible for setting up and maintaining an appropriate
level of IT security. The following points and measures are to be considered in
particular:
14 | 58 Restricted A6V11646120_en_d_50
Cybersecurity throughout the life cycle of the system 5
Installation and commissioning
A6V11646120_en_d_50 Restricted 15 | 58
5 Cybersecurity throughout the life cycle of the system
Installation and commissioning
NOTICE
Missing updates on the PC operating system
Access to fire detection system data and possible misuse of data when accessing
a fire detection installation
● Maintain and configure your PC in accordance with the guidelines in the
Siemens CERT 'Security Measure Plan for Windows'.
● PCs are only permitted for use if manufacturer support is in place for the
operating system used.
● All the updates and patches provided by the manufacturer must be installed on
the operating system. In addition, a continually updated antivirus software must
be installed.
● Integrity of the installed files must be checked for security assessment and as
an incident-response task.
See Recommended System Hardening [➙ 48].
Please contact your Siemens contact partner if you do not have access to the
web pages at https://www.cert.siemens.com/.
NOTICE
Access to Desigo CC data and possible misuse of data due to unprotected
smartphones or mobile terminals
● Configure your smartphone or mobile terminal according to the guidelines of
the Siemens CERT Security Measure Plan for Android Devices, Apple iOS
and Touchdown.
16 | 58 Restricted A6V11646120_en_d_50
Cybersecurity throughout the life cycle of the system 5
Operation and maintenance
Please contact your Siemens contact partner if you do not have access to the
web pages at https://www.cert.siemens.com/.
A6V11646120_en_d_50 Restricted 17 | 58
5 Cybersecurity throughout the life cycle of the system
Disposal / phase-out / EOL
● Encrypt the confidential customer data saved on the removable media and
treat the encryption password as confidential.
● Store the removable media in a lockable system housing designed for storing
such media.
● Lock the system housing used to store the removable media.
● Encrypt confidential data on the service laptop/PC.
A service laptop/PC that stores confidential customer data is subject to the same
protection requirements as removable media.
● Continually perform maintenance on the service laptop/PC, in accordance with
Guidelines for PCs [➙ 16].
● Maintenance for the service laptop/PC comprises the following aspects:
– Correct configuration
– Hardening
– Maintenance
– Patching
See more information about data encryption techniques and Bit Locker tool in Data
encryption.
18 | 58 Restricted A6V11646120_en_d_50
Cybersecurity throughout the life cycle of the system 5
Disposal / phase-out / EOL
A6V11646120_en_d_50 Restricted 19 | 58
6 System security concept
Definition of security zones
The components in the highly protected zones should not be connected to other
networks (for example, intranet or internet), except for the required connections
detailed in this document. Required connections are those to the clients in the
office network and DMZ. The communication across different zones should be
limited to the necessary minimum by means of a firewall.
NOTICE
Insecure Networks
Connections between computers in the highly protected zone and insecure
networks like the Internet or any other networks can compromise the Desigo CC
security.
20 | 58 Restricted A6V11646120_en_d_50
System security concept 6
Zone boundary protection
Customer IT Customer IT
Local Office DMZ
HTML5
IIS
Firewall Firewall
My SQL
A6V11646120_en_d_50 Restricted 21 | 58
6 System security concept
System components
22 | 58 Restricted A6V11646120_en_d_50
System security concept 6
Required Certificates
● Web Application (Click Once) ● Code Signing Digital signature Buy one digital
(1.3.6.1.5.5.7.3.3) certificate per Click
Once client station
A6V11646120_en_d_50 Restricted 23 | 58
6 System security concept
Least functionality implementation
NOTICE
Avoid Exposed Network Shares
Since exposed network shares could be used to illicitly discover unrestricted
information from the network, avoid unrestricted use as much as possible.
For example, only enable users and computers that need access.
In Desigo CC, shares are only needed for installed clients and the web server
(unless they are on the same machine), not for the Windows App and web clients.
Since these should be reached via dedicated server or control room network,
never expose the shares to the office network or customer intranet (direct or
through VPN) and never expose shares to the Internet.
For more information, see Setting Up the Project in the Desigo CC online help.
Please take note the following terms:
● Windows client account
Refers to the user logged on to Microsoft Windows on the client machine; this
Windows user can be different from the user logged on to Desigo CC.
● Web server account
Refers to the account configured in the Desigo CC web server installation.
The following subdirectories of the [project] directory are accessed by the client
installation (installed client or FEP) and the web server.
● Documents
Provide read access on all files and subfolders to the web server account and
all Windows client accounts.
● Devices, Graphics, Libraries, and Profiles
Provide read/write access on all files and subfolders (including the permission
to delete them, but not the root folder itself) to the web server account and all
Windows client accounts.
– Graphics
Access may be Unrestricted to read-only for Windows client accounts that
only display but do not configure graphics.
– Libraries
Access may be Unrestricted to read-only for Windows client accounts that
run Desigo CC in Operation mode only.
– Profile
Provide read access to all Windows client accounts, read/write access to
the web server account.
● Shared
Provide read access on all files and subfolders to the web server account and
all Windows client accounts.
● All other folders
Provide read/write access to the [System Account] only ([System Account] is
configured in SMC).
Do not provide access on these folders to any other account.
24 | 58 Restricted A6V11646120_en_d_50
System security concept 6
Firewall rules and system services
Firewall Settings
When using Desigo CC with a firewall, the execution of processes that open ports
for the communication are Unrestricted by the firewall.
You must add the following ports as exceptions to the firewall if you are installing
Desigo CC on a server. Configuring your firewall settings allows the access
between the server and all its client stations, and between the server and field
panels.
The table below lists the TCP and UDP ports you should add to the server firewall
and any network firewalls between the server and clients, and between the server
and field panels.
NOTICE
Do not open a port for a program you do not recognize. The following table lists
all the ports required for safe operation of the system. Ports that are not required
for system operation must be closed to avoid any security risks.
A6V11646120_en_d_50 Restricted 25 | 58
6 System security concept
Firewall rules and system services
Server Communication
Port usage across machine boundaries for client-server and server-server
communication
Core Services on Main Server
The port must be configured in the firewall of the main server for inbound
communication if the host is protected by a firewall.
26 | 58 Restricted A6V11646120_en_d_50
System security concept 6
Firewall rules and system services
Notes
Directories of the host processes:
1) Located in C:/Siemens/WinCC_OA/3.17/bin/
2) Located in [Installation Directory]/GMSMainProject/bin/
Variable ports:
3) The port of an SQL server named instance is by default variable. See the SQL server
documentation on how to configure a fixed port for a named instance.
Consumer:
5) Desigo CC System Management Console (SMC)
6) Executables on the client installation
[Installation Directory]/GMSMainProject/bin/Siemens.Gms.ApplicationFramework.exe
C:/Siemens/WinCC_OA/3.17/bin/WCCOActrl.exe
7) Executables on the client installation
[Installation Directory]/GMSMainProject/bin/Siemens.Gms.ApplicationFramework.exe
8) Executables on the FEP installation opening outbound connections
[Installation Directory]/GMSMainProject/bin/Siemens.Gms.ApplicationFramework.exe
C:/Siemens/WinCC_OA/3.17/bin/WCCOActrl.exe
Additional executables on the FEP depend on the driver type. For example,
BACnet: [Installation Directory]/GMSMainProject/bin/WCCOAGmsBACnet.exe
SNMP: C:/Siemens/WinCC_OA/3.17/bin/WCCOAsnmp.exe
9) Microsoft Internet Information Services (IIS)
10) [Installation Directory]/GMSMainProject/bin/WCCOAHDBReader.exe
[Installation Directory]/GMSMainProject/bin/WCCOAHDBWriter.exe
[Installation Directory]/GMSMainProject/bin/WCCOAReportMan.exe
11) [Installation Directory]/GMSMainProject/bin/WCCOACoHoMngr.exe
12) C:/Siemens/WinCC_OA/3.17/bin/WCCILdist.exe
A6V11646120_en_d_50 Restricted 27 | 58
6 System security concept
Firewall rules and system services
Subsystem connectivity
Outbound connections (ports used by the host to connect to automation systems)
Notes
3) The default port for the first BACnet driver is UDP: 47808. The port can be changed. Every
additional driver needs another UDP port.
4) The default port for the first SNMP network is UDP: 161. The port can be changed. Every
additional network needs another UDP port.
5) File located in C:/Program Files/Siemens/Video API/Service/
28 | 58 Restricted A6V11646120_en_d_50
System security concept 6
Firewall rules and system services
Notification
Outbound connections (ports used by the host to connect to remote notification
systems)
A6V11646120_en_d_50 Restricted 29 | 58
6 System security concept
History database (HDB) users and roles
30 | 58 Restricted A6V11646120_en_d_50
System security concept 6
History database (HDB) users and roles
A6V11646120_en_d_50 Restricted 31 | 58
6 System security concept
Notification (MNS) database roles and backup folder
32 | 58 Restricted A6V11646120_en_d_50
IEC62443 Security Level 2 (SL2) 7
Introduction to IEC62443 SL2 standard
A6V11646120_en_d_50 Restricted 33 | 58
7 IEC62443 Security Level 2 (SL2)
System components and network separation in SL2 deployments
34 | 58 Restricted A6V11646120_en_d_50
IEC62443 Security Level 2 (SL2) 7
IEC 62443 SL2 general requirements
Administrative measures
● Restrict access to server computers to authorized users and logged.
● Restrict access to Installed Client, Windows App Client and IE Web Client to
authorized users.
● Require Windows authentication to gain access to the system.
● Establish a 24/7 hardware and software supervision to detect misuse,
alterations, and data corruption.
● Restrict user permissions according to the Least Privilege concept.
Technical measures
● Apply the IEC62443-4-2 SL2 computer hardening requirements, which include:
- Windows and Desigo CC system hardening, to reduce the vulnerability of the
solution.
- Network security, to support and manage the required separation.
- User security, to manage user accounts and system access.
- Application security, to control and monitor software applications and
services.
- Security information and event management, to monitor the integrity of the
system.
- Patch management, to support validation and prompt installation of security
updates.
- Backup and restore, to support backup and restore of the solution.
See Recommended System Hardening [➙ 48] for useful information.
System-specific measures
● Bind IP socket to receive data sent to the local address only.
● Use a separate NIC for each dedicated field network connection.
● Make sure to install all SL2-compliant Desigo CC EMs. Some application-
specific EMs may not be compliant.
A6V11646120_en_d_50 Restricted 35 | 58
8 Intended operating environment and application options
Single station in highly protected zone
Single-station configuration
This scenario includes the following features:
● Client and Server are hosted on the same machine.
● Operators have access to the server computer.
● Local configuration and administration
● Microsoft SQL Server installed locally
● Engineering, administration, and system maintenance / service are executed
on the same machine with high privilege account.
● Machine is only connected to dedicated field system networks.
● No IT firewall is required in between Desigo CC components.
● IPv4
Security
● Simple setup (certificate configuration not required).
● Effort for security configuration is low.
● A single-station system is secured from outside attacks. However, installation
guidelines for closing outside communication by firewall settings, virus scanner,
and backup must be followed to secure the system.
Technical reference
● In the Desigo CC online help, in System Deployments, see Stand-Alone
System.
36 | 58 Restricted A6V11646120_en_d_50
Intended operating environment and application options 8
Single station in highly protected zone
Deployment diagram
Highly protected
Desigo CC zone
Server Backbone
Protected Server Hardware
Desigo CC Client /
Desigo CC Server
BIRT
MySQL
WinCC OA
Firewall
Limitations
● All users are fully trusted (no privilege restrictions), therefore operators have
de-facto high-privilege access.
● No customer network and Intranet/Internet access.
A6V11646120_en_d_50 Restricted 37 | 58
8 Intended operating environment and application options
Client/server with local intranet web server
38 | 58 Restricted A6V11646120_en_d_50
Intended operating environment and application options 8
Client/server with local intranet web server
● IPv4/IPv6
● Internal firewalls
Technical reference
● In the Desigo CC online help, in System Deployments, see Client/Server.
For web configuration, in Project Setup, see Websites and Web
Applications.
Deployment diagram
Customer IT
Local Office
Desigo CC
Client
HTML5
Desigo CC
Customer IT Server Backbone Desigo CC
Desigo CC Client
Server Backbone Control Room
Desigo CC WSI
Desigo CC FEP Desigo CC Server Desigo CC FEP
IIS Web Server
Desigo CC
Client
HTML5
MySQL
A6V11646120_en_d_50 Restricted 39 | 58
8 Intended operating environment and application options
Client/server with remote intranet web server
Technical reference
● In the Desigo CC online help, in System Deployments, see Client/Server.
For web configuration, in Project Setup, see Websites and Web
Applications.
40 | 58 Restricted A6V11646120_en_d_50
Intended operating environment and application options 8
Client/server with remote intranet web server
Deployment diagram
Customer IT Customer IT Customer IT
Intranet Desigo-CC Branch office Desigo-CC Home office Desigo-CC
Client Client Client
Firewall
Customer IT Customer IT
Local Office Local Office
Web server
Desigo-CC
Client
HTML5
IIS
Desigo CC
Customer IT Server Backbone Desigo-CC
Server Backbone Control Room
Desigo CC
Desigo CC Desigo CC
Server
FEP FEP
+ local Client
Desigo-CC Client
HTML5
MySQL
A6V11646120_en_d_50 Restricted 41 | 58
8 Intended operating environment and application options
Client/server with remote internet access using FlexClient
Technical reference
● In the Desigo CC online help, in System Deployments, see Server and a
Remote Web Server (IIS).
For web configuration, in Project Setup, see Websites and Web
Applications.
42 | 58 Restricted A6V11646120_en_d_50
Intended operating environment and application options 8
Client/server with remote internet access using FlexClient
Deployment diagram
WWW
Customer IT Customer IT
Branch office Desigo-CC Home office Desigo-CC
Client Client
Desigo-CC
Client
HTML5 HTML5
HTML5
Firewall
Customer IT Customer IT
Local Office DMZ
Web server
Desigo-CC
Client
HTML5
IIS
Desigo CC
Customer IT Server Backbone Desigo-CC
Server Backbone Control Room
Desigo CC
Desigo CC Desigo CC
Server
FEP FEP
+ local Client
Desigo-CC Client
HTML5
MySQL
A6V11646120_en_d_50 Restricted 43 | 58
8 Intended operating environment and application options
Client/server in distributed solutions
Technical reference
● In the Desigo CC online help, see Distributed Systems.
44 | 58 Restricted A6V11646120_en_d_50
Intended operating environment and application options 8
Client/server in distributed solutions
Deployment diagram
WWW
Customer IT Customer IT
Branch office Desigo CC Home office Desigo CC
Desigo CC Client Client
Client
HTML5 HTML5
HTML5
Firewall
Customer IT Customer IT
Local Office DMZ
Web server
Desigo CC
Client
HTML5
IIS
Desigo CC Desigo CC
Customer IT Server Backbone 1 Server Backbone 2 Desigo CC
Server Backbone Control Room
Desigo CC Client / Desigo CC Client /
Desigo CC Server Desigo CC WSI / Desigo CC FEP Desigo CC Server Desigo CC WSI / Desigo CC FEP
Desigo CC Server Desigo CC Server Desigo CC
Client
HTML5
MySQL
A6V11646120_en_d_50 Restricted 45 | 58
8 Intended operating environment and application options
Client/server in distributed solutions
46 | 58 Restricted A6V11646120_en_d_50
Intended operating environment and application options 8
Virtual environment
Technical reference
● In the Desigo CC online help, see Virtualization and VM Software.
A6V11646120_en_d_50 Restricted 47 | 58
9 Recommended System Hardening
Hardening Windows server
Separate networks
Separate networks
Depending on the architecture of your Desigo CC solution, the zone boundary
protection must be implemented via firewall to limit the inbound and outbound
communication among network zones. See Zone boundary protection [➙ 21].
48 | 58 Restricted A6V11646120_en_d_50
Recommended System Hardening 9
Hardening Windows server
traffic to another device and offers more options on handling that traffic, leaving the
server to perform its main duty. Whichever method you use, the key point is to
restrict traffic to only necessary pathways.
See Hardening firewall [➙ 53].
A6V11646120_en_d_50 Restricted 49 | 58
9 Recommended System Hardening
Hardening Windows server
● Verify that the local guest account is disabled where applicable. None of the
built-in accounts is secure.
● Use a password policy to make sure accounts cannot be compromised. If your
server is a member of AD, the password policy is set at the domain level in the
Default Domain Policy. Stand-alone servers can be set in the local policy
editor. Either way, a good password policy will at least establish:
- Complexity and length requirements. We recommend 15 or at least 12
characters, including upper case, lower case, special characters, and numbers.
- Password expiration, to enforce periodic password change.
- Password history, to prevent reusing the same password.
- Account lockout after a number of failed login attempts.
● If accounts are created by default or from a template, use different passwords
for each installation.
● Do not use the same password for the default administrator account and the
service account.
● Make sure there is a process in place to disable and then remove (above
desired logs' retention time) old/unused user accounts.
● Auto-logon features skip the identification of a user and should therefore only
be used either in controlled environments, where the effective user can be
determined differently, or for users that are only authorized to see non-
unrestricted data.
Support of Open ID using 0Auth2.0 Authorization Code Flow
● In current release, Desigo CC supports Auth0 as identity provider. It supports
OpenID with OAuth 2.0 Protocol using Authorization Code Flow.
● Note that, in the implementation of OpenID, Desigo CC does not use the State
parameter, that is an opaque value to maintain state between the client request
and the server callback. Typically, this is implemented with a session cookie in
the browser and can mitigate the so-called Cross-Site Request Forgery (CSRF
or XSRF) attacks. In Desigo CC, we do not see CSRF risks because of the
State parameter, as we apply the Authorization Code Flow (see also RCF 6749
OAuth2.0). The user’s access token from the Authorization server is validated
by Desigo CC before creating a session on the server. If user details do not
match, then the session is not created.
50 | 58 Restricted A6V11646120_en_d_50
Recommended System Hardening 9
Hardening Windows server
the control of Siemens to provide patches for components that are operated with
Desigo CC but do not originate from Siemens, such as client operating systems.
● Use a proper discovery service
The only way to know if a breach or vulnerability exists is to employ broad
discovery capabilities. A proper discovery service entails a combination of active
and passive discovery features and the ability to identify physical, virtual, and on
and off premise systems that access your network. Developing this current
inventory of production systems, including everything from IP addresses, OS types
and versions and physical locations, helps keep your patch management efforts up
to date. It is therefore important to inventory your network on a regular basis.
● Perform application patching
Many limitations of OS platform support and discovery services lie in accounting for
only applications from a specific OS and ignoring third-party software. Much of
Windows software vulnerabilities come from non-Microsoft applications running on
Windows, which means you not only need comprehensive OS coverage, but also
comprehensive application coverage.
● Apply coverage on and off premise
Patching your OS and applications will be meaningless, however, if not done for
every computer in every location. Users can work remotely without ever touching
the network, but the network must secure these users as if they were on premise.
Patch management systems and other security controls should provide the same
level of coverage and control off premise as they do on premise.
● Patch frequently
As more end user systems can leave the network, patching frequency becomes
more important. You may be following the patching patterns of prominent tech
influencers, but they could be wrong for you. Microsoft may keep to a predictable
security patch release cycle, but most other vendors have unpredictable release
schedules.
NOTICE
End of Life IT Components
IT components must be replaced as soon they pass their End of Life.
A6V11646120_en_d_50 Restricted 51 | 58
9 Recommended System Hardening
Hardening Windows server
52 | 58 Restricted A6V11646120_en_d_50
Recommended System Hardening 9
Hardening firewall
code. If the target is vulnerable, the attacker will then run a payload of the
attacker’s choice on the target. This was the mechanism behind the effective
distribution of WannaCryptor.D ransomware across networks.
Mitigating Factors: Disable SMBv1 in Windows and Windows Server
See the following references:
https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-
disable-smbv1-smbv2-and-smbv3-in-windows-and
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-
settings/microsoft-network-server-digitally-sign-communications-always
https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-
enhancements-in-windows-server-2012/
A6V11646120_en_d_50 Restricted 53 | 58
9 Recommended System Hardening
Hardening system server
Controls Status
54 | 58 Restricted A6V11646120_en_d_50
Recommended System Hardening 9
Hardening system server
vulnerabilities and flaws. Software vulnerability scanning should include both the
Windows operating system and bundled apps that ship with it.
A6V11646120_en_d_50 Restricted 55 | 58
9 Recommended System Hardening
Hardening system client
Controls Status
Apply the relevant hardening Windows requirements. See Hardening Windows server
[➙ 48].
Apply the relevant hardening system requirements. See Hardening system server
[➙ 54].
56 | 58 Restricted A6V11646120_en_d_50
Maintenance of IT Components 10
10 Maintenance of IT Components
The maintenance of IT security is a sustained process for which the corresponding
tasks must be continually repeated. Each designated security measure must
therefore be examined to determine whether it is sufficient to implement it once or
whether implementation at regular intervals is required, such as regular antivirus
software updates.
● Log all maintenance measures implemented.
● Observe the information in the 'IT Security Notices' chapter.
● Install security updates regularly.
● Run risk analyses on the security properties of the applied software at regular
intervals.
You will find information on a corresponding risk analysis here, for example:
● https://www.enisa.europa.eu/topics/threat-risk-management/risk-
management/current-risk/risk-management-inventory/rm-ra-
methods/m_it_grundschutz.html
● https://www.bsi.bund.de/EN/Topics/ITGrundschutz/Download/download_node.
html
A6V11646120_en_d_50 Restricted 57 | 58
Issued by
Siemens Switzerland Ltd
Smart Infrastructure
Global Headquarters
Theilerstrasse 1a
CH-6300 Zug
+41 58 724 2424
www.siemens.com/buildingtechnologies
A6V11646120_en_d_50 Restricted