User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Checklist

Siemens

Application Note

Smart Infrastructure

domain. Domain logons are processed by domain controllers, and as such, they

have the audit logs for that activity, not the local system. Standalone servers will

have security audits available and can be configured to show passes and/or fail-

ures.

Check the maximum size of your logs and scope them to an appropriate size. Log

defaults are almost always far too small to monitor complex production applica-

tions. As such, disk space should be allocated during server builds for logging, es-

pecially for applications like MS Exchange. Logs should be backed up according to

your organization’s retention policies and then cleared to make room for more cur-

rent events.

Controls Status

Implement physical and environmental security controls



Implement network separation



Implement protective firewall rules



Implement secure communication to the clients



Implement secure communication to remote Desigo CC (if applicable)



Implement user management controls



Implement access control measures



Desigo CC

Even in homogeneous Windows-only environments, managing vulnerabilities and

patches across different OS versions can be a daunting affair. The following can

serve as a practical starting point for protecting today’s Windows-based infrastruc-

tures against cyberattacks.

Identify Untested/Secured Firmware and 3

-Party Firmware Modifications

Modern Windows (7, 8, 10, and Windows Server versions) use what is known as

the UEFI firmware standard in place of a computer or device’s standard BIOS. Be-

cause the Windows Binary Loader uses UEFI, and UEFI implementation is in the

hands of hardware vendors (e.g., IBM, Lenovo, Dell)—less scrupulous brands may

be inclined to make “extra” modifications. It is therefore critical that computers or

devices manufactured by suspect brands be identified and carefully scrutinized for

their potential impact on IT security.

Fix Unpatched/Incompatible Drivers

A myriad of hardware devices and services are in use by today’s computers, which

invariably creates an ongoing concern around the incompatibility and vulnerability

of drivers. And increasingly, drivers are a common source of new security gaps in-

troduced into the environment. Vulnerability detection should therefore include both

software packages as well as discreet, standalone components such as drivers.

Outdated and non-supported drivers should be removed from systems entirely.

Address Vulnerabilities in Windows-Bundled Software

Windows 10 ships with several bundled apps like Photos, Groove Music, and

Skype, among others. These items are pre-installed with every user account on

your Windows 10, but like all software, are subject to their own specific vulnerabili-

ties and flaws. Software vulnerability scanning should include both the Windows

operating system and bundled apps that ship with it.

Enforce Data Encryption

Data breaches may be inevitable, but stolen data can still be protected—even

when in the hands of attackers. Encryption has its pros and cons, but for the most

part is a relatively transparent and easy way to prevent data from being exposed,

before and after it has been stolen. BitLocker is Microsoft’s solution for file encryp-

tion, and ships with newer versions of Windows. The drawback to BitLocker is that