User Manual
Checklist
5
57
Siemens
Application Note
Smart Infrastructure
5 Checklist
The following checklist should be used to carry out security controls for the Desigo
CC system components. The checklist has to be completed for each instance of
any component.
Desigo CC Server Hardening Checklist
User Configuration
Make sure the password for the local Administrator account is reset to something
secure. Furthermore, disable the local administrator whenever possible.
Consider using a non-administrator account to handle your business whenever
possible, requesting elevation using Windows equivalent of Linux “sudo” command
(that allows you to run programs with the security privileges of another user by
default, as the superuser), “Run As” and entering the password for the administra-
tor account when prompted.
Verify that the local guest account is disabled where applicable. None of the built-in
accounts are secure, guest perhaps least of all, so just close that door.
Use a password policy to make sure accounts on the server can’t be compromised.
If your server is a member of AD, the password policy will be set at the domain
level in the Default Domain Policy. Standalone servers can be set in the local poli-
cy editor. Either way, a good password policy will at least establish the following:
Complexity and length requirements - how strong the password must be
Password expiration - how long the password is valid
Password history - how long until previous passwords can be reused
Account lockout - how many failed password attempts before the account
is suspended
Windows Features and Roles Configuration
Microsoft uses roles and features to manage OS packages. Roles are basically a
collection of features designed for a specific purpose, so generally roles can be
chosen if the server fits one, and then the features can be customized from there.
Two equally important things to do are
1. Make sure everything you need is installed. This might be a .NET frame-
work version or IIS, but without the right pieces your applications won’t
work.
2. Uninstall everything you don’t need. Extraneous packages unnecessarily
extend the attack surface of the server and should be removed whenever
possible.
This is equally true for default applications installed on the server that won’t be
used. Servers should be designed with necessity in mind and stripped lean to
make the necessary parts function as smoothly and quickly as possible.
Update Installation
The best way to keep your server secure is to keep it up to date. This doesn’t
necessarily mean applying updates as soon as they are released with little to no
testing, but simply having a process to ensure updates do get applied within a rea-
sonable window. Most exploited vulnerabilities are over a year old, though critical
updates should be applied as soon as possible in testing and then in production if
there are no problems.
Firewall Configuration
If you’re building a web server, for example, you’re only going to want web ports
(80 and 443) open to that server from the internet. If anonymous internet clients