User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cybersecurity Concepts – How to Secure the System

Main Server Folder Shares for Client and FEP Installations

A6V11646120_enUS_c_41

65 | 88

The local client and the web server on the Desigo CC server do not need file sharing;

only access rights to the folders in the project directory must be configured.

Below you can find a description of what can be actually configured.

NOTICE

Avoid Exposed Network Shares

Since exposed network shares could be used to illicitly discover Unrestricted

information from the network, avoid unrestricted use as much as possible. For

example, only to the users and the computer that need access.

In Desigo CC, shares are only needed for installed clients and the web server

(unless they are on the same machine), not for the Windows App and web clients.

Since these should be reached via dedicated server or control room network, never

expose the shares to the office network or customer intranet (direct or through VPN)

and never expose shares to the Internet.

See section

Setting Up the Project

in the Desigo CC online help.

Please take note the following terms:

● Windows client account

Refers to the user logged on to Microsoft Windows on the client machine; this

Windows user can be different from the user logged on to Desigo CC.

● Web server account

Refers to the account configured in the Desigo CC web server installation.

The following subdirectories of the [project] directory are accessed by the client

installation (installed client or FEP) and the web server.

● Documents

Provide read access on all files and subfolders to the web server account and all

Windows client accounts.

● Devices, Graphics, Libraries, and Profiles

Provide read/write access on all files and subfolders (including the permission to

delete them, but not the root folder itself) to the web server account and all

Windows client accounts.

– Graphics

Access may be Unrestricted to read-only for Windows client accounts that only

display but do not configure graphics.

– Libraries

Access may be Unrestricted to read-only for Windows client accounts that run

Desigo CC in Operation mode only.

– Profile

Provide read access to all Windows client accounts, read/write access to the

web server account.

● Shared

Provide read access on all files and subfolders to the web server account and all

Windows client accounts.

● All other folders

Provide read/write access to the [System Account] only ([System Account] is

configured in SMC).

Do not provide access on these folders to any other account.