User Manual
4
Cyber Security Concepts -
How to Secure the System
Cyber Security Concepts
-
46
Siemens Application Note
Smart Infrastructure
4.9 Physical and Environmental Security
In order to protect the Desigo CC Server, the cabling and the clients, do the
following:
Desigo CC Servers and all servers that are connected to Desigo CC should be
in a data center or server room with restrictive access control.
Desigo CC clients that are directly accessed by users could be locked in
furniture in a way that a regular user does not have physical access to the client
computer and its interfaces like USB ports or CD drive.
Alternatively, client machines could be also located in an access-controlled data
center or server room providing restrictive access control like the Desigo CC
servers.
Protect physical access to the cabling in the Backbone Level protection zone.
Define and implement processes for granting and revoking physical access.
Additional controls, such as site protection, additional restrictive access control
for the building and rooms, security guards or surveillance can contribute to the
physical security of the system.
4.10 Incident Handling
If a security-related event occurs, please immediately contact your Siemens point
of contact (e.g. Field Engineer, Sales Representative) or contact Siemens
Computer Emergency Response Team for products (ProductCERT).
Internet: http://www.siemens.com/cert/advisories
Email: productcert@siemens.com
To ensure that your issue can be dealt with as quickly as possible, please provide
your input to ProductCERT either in English or in German.
4.11 Windows Hardening
First, let's define "hardening". When you harden a system, you're attempting to
reduce its surface of vulnerability. Ideally, you want to be able to leave it exposed
to the general public on the Internet without any other form of protection. This isn't
a system you'll use for a wide variety of services. A hardened system should serve
only one purpose--it's a Web server or DNS or Exchange server, and nothing else.
You don't typically harden a file and print server, or a domain controller, or a
workstation. These systems need too many functions to be properly hardened.
System Hardening Steps
To harden a Windows server, you'll need to do the following three steps, at a bare
minimum:
Disable all unnecessary services. To do this, you first need to determine
which services can be disabled. Sounds simple enough, but it's not. For
example, it's impossible to disable the Remote Procedure Call (RPC) service.
Also, little documentation exists to identify what services a given purpose will
require. Even if we had such a list, it would likely change depending on a
vendor's specific implementation (say, of a DNS or mail server). In the end,
knowing which services are required and which can be disabled is largely a
matter of trial and error.
Remove all unnecessary executables and registry entries. Forgetting to re-
move unneeded executables and registry entries might allow an attacker to in-
voke something that had previously been disabled.
Apply appropriately restrictive permissions to files, services, end points
and registry entries. Inappropriate permissions could give an attacker an
opening. The ability to launch CMD.EXE as "Local System," for example, is a
classic backdoor.