User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cyber Security Concepts -

How to Secure the System

Siemens

Application Note

Smart Infrastructure

The benefits of OS hardening a Windows server are that you will have fewer

patches to apply, you'll be less likely to be vulnerable to the average exploit, and

you'll have fewer records to review in the logs. You can focus your attention on

what the server is doing, not on unnecessary services that may be running.

On the other hand, it's very difficult to properly harden/configure a system and keep

it running effectively. Documentation is scarce, and permissions are required to

make it effective. Finally, even a hardened Windows server will probably have far

too many resident files and registry entries to effectively monitor and maintain.

4.12 Web Browser Security

When using any Web Browser to run a Desigo CC Client on it, you need to give

special attention to the security settings of the web browser. Make sure the saving

function for credentials is disabled in the web browser setting

Update to TLS 1.2 as default secure protocols in Windows

TLS stands for "Transport Layer Security." It is a protocol that provides privacy and

data integrity between two communicating applications and is the most widely de-

ployed security protocol used today. TLS is used for web browsers and other appli-

cations that require data to be securely exchanged over a network and ensures

that a connection to a remote endpoint is the intended endpoint through encryption

and endpoint identity verification. Client-server applications use the TLS protocol to

communicate across a network in a way designed to prevent eavesdropping and

tampering. There are known vulnerabilities associated with SSL 3.0/TLS 1.0 which

allow adversaries to monitor/intercept traffic and decrypt secure transmissions.

Updating to TLS 1.2 provides an enhanced level of encryption to protect our net-

work.

See how to Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in

WinHTTP in Windows

https://support.microsoft.com/en-gb/help/3140245/update-to-enable-tls-1-1-and-tls-

1-2-as-default-secure-protocols-in-wi

Update PresentationHost.exe to TLS 1.2

By default, the XBAP client runs on TLS 1.0 even if TLS 1.2 is enabled on all ma-

chines of the customer’s site. The browser connects on TLS 1.2, but Microsoft’s

PresentationHost.exe (which executes our xbap client) reconnects on TLS 1.0.

So not only the OS, but also the PresentationHost.exe needs to get moved to TLS

1.2. There is not an official support site from Microsoft dedicated to just this issue,

only more general one like this one:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

In the end what needs to get done is to enable TLS 1.2 on the machines running

the XBAP Browser client in the registry (on Win 10 only the last two entries are

needed):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProvid

ers\SCHANNEL\Protocols\TLS 1.2\Client

DisabledByDefault (type = DWORD, Value = 0 hexadecimal)

Enabled (type = DWORD, Value = 1 hexadecimal)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319

SchUseStrongCrypto (type = DWORD, Value = 1 hexadecimal)

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramew

ork\v4.0.30319

SchUseStrongCrypto (type = DWORD, Value = 1 hexadecimal)