User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cybersecurity Concepts – How to Secure the System

Web Browser Security

A6V11646120_enUS_b_40

69 | 85

In the end what must be done is to enable TLS 1.2 on the machines running the XBAP

browser client in the registry (on Windows 10 only the last two entries are needed):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityPro

viders\SCHANNEL\Protocols\TLS 1.2\Client

DisabledByDefault (type = DWORD, Value = 0 hexadecimal)

Enabled (type = DWORD, Value = 1 hexadecimal)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319

SchUseStrongCrypto (type = DWORD, Value = 1 hexadecimal)

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework

\v4.0.30319

SchUseStrongCrypto (type = DWORD, Value = 1 hexadecimal)

The ClickOnce client is not impacted. It runs automatically using TLS 1.2 when the

protocol is available on the client.

● Windows SMBv1 Remote Code Execution Vulnerabilities

Remote code execution vulnerabilities exist in the way that the Microsoft Server

Message Block 1.0 (SMBv1) server handles certain requests. An attacker who

successfully exploited the vulnerabilities could gain the ability to execute code on the

target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send

a specially crafted packet to a targeted SMBv1 server.

The EternalBlue exploit targets a vulnerability (addressed in Microsoft Security Bulletin

MS17-010) in the SMBv1 protocol, through port 445. During an attack, black hats scan

the internet for exposed SMB ports, and if found, launch the exploit code. If the target

is vulnerable, the attacker will then run a payload of the attacker’s choice on the

target. This was the mechanism behind the effective distribution of WannaCryptor.D

ransomware across networks.

● Mitigating Factors: Disable SMBv1 in Windows and Windows Server

See the following references:

https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-disable-

smbv1-smbv2-and-smbv3-in-windows-and

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-

settings/microsoft-network-server-digitally-sign-communications-always

https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-enhancements-

in-windows-server-2012/

Patching

All components (such as virtualization software, operating systems or anti-malware

software) should always be running with the latest security patches. It is not within the

control of Siemens to provide patches for components that are operated with Desigo

CC but do not originate from Siemens, such as client operating systems.

● Use a proper discovery service

The only way to know if a breach or vulnerability exists is to employ broad discovery

capabilities. A proper discovery service entails a combination of active and passive

discovery features and the ability to identify physical, virtual, and on and off premise

systems that access your network. Developing this current inventory of production

systems, including everything from IP addresses, OS types and versions and physical