User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Checklist

A6V11646120_enUS_b_40

81 | 85

Check the maximum size of your logs and scope them to an appropriate size. Log

defaults are almost always far too small to monitor complex production applications.

As such, disk space should be allocated during server builds for logging, especially for

applications like Microsoft Exchange. Logs should be backed up according to your

organization’s retention policies and then cleared to make room for more current

events.

Controls

Status

Implement physical and environmental security controls.

Implement network separation.

Implement protective firewall rules.

Implement secure communication to the clients.

Implement secure communication to remote Desigo CC (if applicable).

Implement user management controls.

Implement access control measures.

Desigo CC

Even in homogeneous Windows-only environments, managing vulnerabilities and

patches across different OS versions can be a daunting affair. The following can serve

as a practical starting point for protecting today’s Windows-based infrastructures

against cyber attacks.

Identify Untested/Secured Firmware and 3rd-Party Firmware Modifications

Modern Windows (7, 8, 10, and Windows Server versions) use what is known as the

UEFI firmware standard in place of a computer or device’s standard BIOS. Because

the Windows Binary Loader uses UEFI, and UEFI implementation is in the hands of

hardware vendors (for example, IBM, Lenovo, Dell)—less scrupulous brands may be

inclined to make extra modifications. It is therefore critical that computers or devices

manufactured by suspect brands be identified and carefully scrutinized for their

potential impact on IT security.

Fix Unpatched/Incompatible Drivers

A myriad of hardware devices and services are in use by today’s computers, which

invariably creates an ongoing concern around the incompatibility and vulnerability of

drivers. And increasingly, drivers are a common source of new security gaps

introduced into the environment. Vulnerability detection should therefore include both

software packages as well as discreet, stand-alone components such as drivers.

Outdated and non-supported drivers should be removed from systems entirely.

Address Vulnerabilities in Windows-Bundled Software

Windows 10 ships with several bundled apps like Photos, Groove Music, and Skype,

among others. These items are pre-installed with every user account on your

Windows 10, but like all software—are subject to their own specific vulnerabilities and

flaws. Software vulnerability scanning should include both the Windows operating

system and bundled apps that ship with it.

Enforce Data Encryption

Data breaches may be inevitable, but stolen data can still be protected—even when in

the hands of attackers. Encryption has its pros and cons, but for the most part is a

relatively transparent and easy way to prevent data from being exposed, before and

after it has been stolen. BitLocker is Microsoft’s solution for file encryption, and ships

with newer versions of Windows. The drawback to BitLocker is that every Windows

machine using it also brings a supporting BIOS, and has the Trusted Platform Module

(TPM) chip enabled.