User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cybersecurity Concepts – How to Secure the System

Incident Handling

70 | 88

A6V11646120_enUS_c_41

3.10 Incident Handling

If a security-related event occurs, please immediately contact your Siemens point of

contact (for example, Field Engineer or Sales Representative) or contact Siemens

Computer Emergency Response Team for products (ProductCERT).

Internet: http://www.siemens.com/cert/advisories

Email: productcert@siemens.com

● To ensure that your issue gets resolved soon, please provide your input to

ProductCERT either in English or in German.

3.11 Windows Hardening

First of all, let's define

hardening

. When you harden a system, you are attempting to

reduce its surface of vulnerability. Ideally, you want to be able to leave it exposed to

the general public on the Internet without any other form of protection. This is not a

system you will use for a wide variety of services. A hardened system should serve

only one purpose—it is a web server or DNS or Exchange Server and nothing else.

You do not typically harden a file and print server, a domain controller, or a

workstation. These systems need too many functions to be properly hardened.

System Hardening Steps

To harden a Windows server, you must perform the following steps, at a bare

minimum:

● Disable all unnecessary services. To do this, you first need to determine which

services can be disabled. Sounds simple enough, but it is not. For example, it is

not possible to disable the Remote Procedure Call (RPC) service. Also, little

documentation exists to identify what services a given purpose will require. Even if

we had such a list, it would likely change depending on a vendor's specific

implementation (say, of a DNS or mail server). In the end, knowing which services

are required and which can be disabled is largely a matter of trial and error.

● Remove all unnecessary executables and registry entries. Forgetting to remove

unneeded executables and registry entries might allow an attacker to invoke

something that had previously been disabled.

● Apply appropriately restrictive permissions to files, services, end points, and

registry entries. Inappropriate permissions could give an attacker an opening. For

example, the ability to launch CMD.EXE as

Local System

is a classic backdoor.

The benefits of OS hardening a Windows server are that you will have fewer patches

to apply, you will be less likely to be vulnerable to the average exploit, and you will

have fewer records to review in the logs. You can focus your attention on what the

server is doing, not on unnecessary services it may have running.

On the other hand, it is very difficult to properly harden/configure a system and keep it

running effectively. Documentation is scarce and permissions are required to make it

effective. Finally, even a hardened Windows server will probably have far too many

resident files and registry entries to effectively monitor and maintain.