User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cyber Security Concepts -

How to Secure the System

Cyber Security Concepts

Siemens Application Note

Smart Infrastructure

4.6 Main Server Folder Shares for Client and FEP

Installations

When installing additional Installed Clients for DCC version 3.x, FEPs or a remote

Web Server, the project directory needs to be shared and the access rights to the

folders must be configured.

For DCC version 4.0 the project directory is no longer shared, but are shared only

the individual folders that need to get accessed remotely. Access to the shares

typically gets configured via SMC (engineer only needs to assign the user accounts

/ groups; SMC takes care about setting the rights).

The local client and the Web Server on the Desigo CC Server do not need file

sharing; only access rights to the folders in the project directory need be

configured.

Below you can find a description of what can be actually configured.

NOTE:

Avoid Exposed Network Shares

Since exposed network shares could be used to illicitly discover confidential information

from the network, restricted use as much as possible. For example, only to the users and

the computer that need access.

In Desigo CC, shares are only needed for Installed Clients and the Web Server (unless

they are on the same machine), not for the Windows App and Web Clients.

Since these should be reached via dedicated server or control room network, never

exposes the shares to the office network or customer intranet (direct or via VPN) and never

exposes shares to the Internet.

 See section Sharing the Project Folder on the Server in the Desigo CC Online

Help.

Please take note the following terms:

 Windows client account

Refers to the user logged on to Microsoft Windows on the client machine;

this Windows user can be different from the user logged on to Desigo CC.

 Web Server account

Refers to the account configured in the Desigo CC Web Server installation.

The following subdirectories of the [project] directory are accessed by the client

installation (Installed Client or FEP) and the Web Server.

 Documents

Provide read access on all files and subfolders to the Web Server account

and all Windows client accounts.

 Devices, Graphics, Libraries, and Profiles

Provide read/write access on all files and subfolders (including the right to

delete them, but not the root folder itself) to the Web Server account and all

Windows client accounts.

- Graphics

Access may be restricted to read-only for Windows client accounts that

only display but do not configure graphics.

- Libraries

Access may be restricted to read-only for Windows client accounts that

run Desigo CC in Operation mode only.