User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Checklist

A6V11646120_enUS_c_41

85 | 88

Obfuscate Local Administrator Accounts

More often, malicious programs and hackers will target default local administrator

accounts as low hanging fruit for exploitation. A simple renaming of an administrator

account adds a simple but effective layer of defense against brute-force attacks.

Choosing a less common name makes the account less susceptible to hacking

attempts—though in later versions of Windows, local administrator accounts are

disabled by default.

Disable Guest/Anonymous Accounts

This applies to both Windows and Windows-related services—so guest and

anonymous accounts in use by Windows as well as other Windows-related services

(For example Microsoft SQL Server, Exchange) should be disabled. Be sure to

account for all Windows-related packages, including Microsoft SharePoint

deployments and IIS instances.

Disable Windows Users

Windows accounts should be disabled. Only Desigo CC accounts should be allowed.

Put LAN Manager in Check

The dated LM (LAN Manager) and NTLMv1 authentication protocols have

vulnerabilities and should be disabled. LM hash storage should also be disabled, as

LM password hashes are easily converted back to plain text.

Institute Proper Password Management

In the Windows security realm, 12 characters is the bare minimum for a marginally

strong password. As an added precaution, requiring users to select passwords with a

15-character minimum will suffice—with the usual symbol and case assortment

requirements.

Controls

Status

Implement physical and environmental security controls.

Implement network separation.

Implement protective firewall rules.

Implement secure communication to the clients.

Implement user management controls.

Implement access control measures.

Implement operational security controls.

Clients

All clients that are attached to other networks must implement secure operation,

including hardening and malware protection in order to reduce risk to Desigo CC.

Hardening is performed using mostly native Windows and Microsoft tools.

Malware and hackers attack by exploiting security vulnerabilities. The solution is to

reduce the attack surface so that we provide fewer opportunities for exploitation. The

main principle is least privilege. To implement the principle of least privilege is to

configure your system so that it only does what you normally do, and nothing else.

This minimizes the attack surface, and removes services that listen on the network

24/7 to anybody who wants to send it stuff (like an exploit).

Good security means deter, deny, delay, and detect. Hardening covers the first piece.

You must also disable the saving function for credentials for all browsers.