User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Checklist

A6V11646120_enUS_b_40

79 | 85

4 Checklist

The following checklist should be used to perform security controls for the Desigo CC

system components. The checklist must be completed for each instance of any

component.

Desigo CC Server Hardening Checklist

● User Configuration

Make sure that the password for the local Administrator account is reset to something

secure. Furthermore, disable the local administrator whenever possible.

Consider using a non-administrator account to handle your business whenever

possible, requesting elevation using Windows equivalent of Linux sudo command

(that allows you to run programs with the security privileges of another user by default,

as the superuser), Run As and entering the password for the administrator account

when prompted.

Verify that the local guest account is disabled where applicable. None of the built-in

accounts are secure, guest perhaps least of all, so just close that door.

Use a password policy to make sure accounts on the server cannot be compromised.

If your server is a member of AD, the password policy will be set at the domain level in

the Default Domain Policy. Stand-alone servers can be set in the local policy editor.

Either way, a good password policy will at least establish the following:

● Complexity and length requirements – how strong the password must be.

● Password expiration – how long the password is valid.

● Password history – how long until previous passwords can be reused.

● Account lockout – how many failed password attempts before the account is

suspended

● Windows Features and Roles Configuration

Microsoft uses roles and features to manage OS packages. Roles are basically a

collection of features designed for a specific purpose, so generally roles can be

chosen if the server fits one and then the features can be customized from there. Two

equally important things to do are:

1. Make sure everything you need is installed. This might be a .NET framework

version or IIS, but without the right pieces your applications will not work.

2. Uninstall anything you do not need. Extraneous packages unnecessarily extend

the attack surface of the server and should be removed whenever possible.

This is equally true for default applications installed on the server that will not be used.

Servers should be designed with necessity in mind and stripped lean to make the

necessary parts function as smoothly and quickly as possible.

● Update Installation

The best way to keep your server secure is to keep it up to date. This does not

necessarily mean applying updates as soon as they are released with little to no

testing, but simply having a process to ensure updates is applied within a reasonable

window. Most exploited vulnerabilities are over a year old, though critical updates

should be applied as soon as possible in testing and then in production if there are no

problems.

● Firewall Configuration

If you are building a web server, for example, you only want web ports (80 and 443)

open to that server from the internet. If anonymous internet clients can talk to the

server on other ports, that opens a huge and unnecessary security risk. If the server

has other functions such as remote desktop (RDP) for management, they should only