Preface 1

What's new? 2

Security strategies 3
SIMATIC
Network security 4
Process Control System PCS 7
Compendium Part F - 5
System hardening
Industrial Security (V8.1)
User Administration and
Operator Permissions 6
Configuration Manual

Patch management 7
Protection against malware
using virus scanners 8
Backing up and restoring
data 9

Remote access 10

Definitions and Abbreviations 11

Valid for PCS 7 V8.1

03/2016
A5E35032082-AB
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG A5E35032082-AB Copyright © Siemens AG 2016.

Division Digital Factory Ⓟ 04/2016 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents

1 Preface ................................................................................................................................................... 7
2 What's new? ......................................................................................................................................... 11
3 Security strategies ................................................................................................................................ 13
3.1 General information ................................................................................................................13
3.2 Concept of "defense in depth" ................................................................................................13
3.3 Example configuration ............................................................................................................15
4 Network security ................................................................................................................................... 17
4.1 Automation and security cells .................................................................................................17
4.2 Addressing and segmenting ...................................................................................................19
4.2.1 Example configuration: Division into subnets .........................................................................20
4.2.2 Example configuration: Setting of IP addresses and subnet mask ........................................24
4.3 Name resolution ......................................................................................................................27
4.4 Managing networks and network services ..............................................................................34
4.5 Access points to the security cells ..........................................................................................35
4.5.1 Overview .................................................................................................................................35
4.5.2 Automation Firewall Appliance ...............................................................................................36
4.5.3 Example configuration: Access rules ......................................................................................37
4.6 Secure communication between security cells .......................................................................44
4.6.1 Overview .................................................................................................................................44
4.6.2 Data exchange between automation systems ........................................................................44
4.6.2.1 Introduction .............................................................................................................................44
4.6.2.2 Example configuration: Establishing secure communication between security cells with
SCALANCE S .........................................................................................................................46
4.6.3 Data exchange for operating and monitoring with remote OS clients ....................................53
4.6.4 Quarantine station (file server) ...............................................................................................58
4.7 Configuration of the SCALANCE X network components ......................................................65
5 System hardening ................................................................................................................................. 69
5.1 Overview .................................................................................................................................69
5.2 Installing the operating system ...............................................................................................70
5.3 Security Controller ..................................................................................................................75
5.4 Windows Firewall ....................................................................................................................77
5.5 BIOS settings ..........................................................................................................................83

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 3
Table of contents

5.6 Working with mobile data media ............................................................................................ 84

5.6.1 Overview ................................................................................................................................ 84
5.6.2 Blocking access to USB storage media using group policy in Windows 7 and Windows
Server 2008 R2 ...................................................................................................................... 86
5.6.3 Regulating the use of USB storage media using group policy in Windows 7 and
Windows Server 2008 R2 ...................................................................................................... 90
5.6.4 Disabling Windows Autorun / Autoplay for CD/DVD drives and USB storage media ............ 97
5.6.4.1 Disabling the Autoplay function using group policy in Windows 7 and Windows Server
2008 R2 .................................................................................................................................. 98
5.6.4.2 Disabling all Autorun functions using group policy in Windows 7 and Windows Server
2008 R2 ................................................................................................................................ 102
5.7 Whitelisting ........................................................................................................................... 106
5.8 SIMATIC S7 CPUs ............................................................................................................... 108
5.9 SIMATIC NET S7-400 - Industrial Ethernet CPs ................................................................. 108
6 User Administration and Operator Permissions ....................................................................................109
6.1 Overview .............................................................................................................................. 109
6.2 Windows workgroup or Windows domain ............................................................................ 109
6.3 Managing computers and users........................................................................................... 111
6.4 Password policies ................................................................................................................ 118
6.5 Domain Controller ................................................................................................................ 120
6.5.1 Installation and configuration of the first domain controller (DC1) ....................................... 122
6.5.2 Installation and configuration of an additional domain controller (DC2-DCn) in an
existing domain .................................................................................................................... 141
6.5.3 WINS installation and configuration ..................................................................................... 142
6.5.3.1 WINS installation and configuration ..................................................................................... 142
6.5.3.2 Multiple WINS servers and WINS replication ...................................................................... 149
6.5.4 FSMO roles .......................................................................................................................... 154
6.5.5 Users and user groups ......................................................................................................... 162
6.6 Operator authorizations – Rights management of the operator ........................................... 163
6.6.1 SIMATIC Logon.................................................................................................................... 163
6.6.2 Access protection for projects/libraries on the engineering station ..................................... 164
6.6.3 Documenting changes in the change log ............................................................................. 166
6.6.4 Documenting changes in the ES log .................................................................................... 167
6.6.5 Access protection for operator stations ............................................................................... 168
6.7 Protection level concept ....................................................................................................... 169
7 Patch management ..............................................................................................................................170
7.1 Overview .............................................................................................................................. 170
7.2 Windows Server Update Service (WSUS) ........................................................................... 171
7.2.1 Recommended procedure for patch management using the Microsoft Windows Server
Update Service (WSUS) ...................................................................................................... 173
7.2.2 Configuration of computer policies....................................................................................... 177
7.2.3 Firewall rules ........................................................................................................................ 182
7.3 Manual update ..................................................................................................................... 183

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

4 Configuration Manual, 03/2016, A5E35032082-AB
 Table of contents

8 Protection against malware using virus scanners ................................................................................ 184

8.1 Overview ...............................................................................................................................184
8.2 Procedure following a virus infection ....................................................................................189
9 Backing up and restoring data ............................................................................................................. 192
9.1 Backup strategy ....................................................................................................................192
9.1.1 Scope of the backups ...........................................................................................................193
9.1.2 Interval for creating backups .................................................................................................193
9.2 Storage location of backups .................................................................................................194
9.3 Archiving ...............................................................................................................................195
10 Remote access ................................................................................................................................... 196
10.1 Secure remote maintenance based on the SIEMENS Remote Service platform ................196
10.2 Creating a remote service concept .......................................................................................198
10.3 Connectivity to the SIEMENS Remote Service platform ......................................................199
11 Definitions and Abbreviations .............................................................................................................. 203

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 5
Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, solutions, machines, equipment and/or networks. They are
important components in a holistic industrial security concept. With this in mind, Siemens’
products and solutions undergo continuous development. Siemens recommends strongly
that you regularly check for product updates.
For the secure operation of Siemens products and solutions, it is necessary to take suitable
preventive action (e.g. cell protection concept) and integrate each component into a holistic,
state-of-the-art industrial security concept. Third-party products that may be in use should
also be considered. For more information about industrial security, visit
http://www.siemens.com/industrialsecurity
To stay informed about product updates as they occur, sign up for a product-specific
newsletter. For more information, visit
http://support.automation.siemens.com/

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 6
Preface 1
Subject of the manual
As a distinctly open system, SIMATIC PCS 7 can be flexibly adapted to a wide range of
customer needs. The system software provides the configuration engineer with a great deal
of freedom in terms of project configuration, as well as in the design of the program and
visualization.
Experience has shown that subsequent modernization or plant expansion work is made
much easier if the project is configured "in conformance with PCS 7" as far as possible right
from the start. This means users must adhere to certain basic rules to ensure that the
provided system functions will offer optimum usability in the future.
This manual serves as a compendium to the product documentation covering SIMATIC PCS
7. The basic tasks for creating and configuring the project are described in the form of
instructions with numerous illustrations.
The compendium directly reflects the recommended method for configuration, which is
based on the results of a great deal of practical experience. The description relates to
working with the project and the parameter settings of the components it contains but not the
application itself.
The compendium is divided into the following parts:
● Configuration guidelines including checklist
● Process safety including two checklists
● Technical functions with SFC types
● Operation and maintenance including checklist
● Hardware installation including checklist
● Industrial Security

Validity
This manual incorporates the statements provided in the documentation for SIMATIC PCS 7
and specifically in the "Security Concept PCS 7 & WinCC". It can be used with SIMATIC
PCS 7 automation systems and projects.
The configuration guide is valid from SIMATIC PCS 7 V8.1.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 7
Preface

SIMATIC PCS 7 documentation

Full PCS 7 documentation is available to you free of charge and in multiple languages in
PDF format at www.siemens.com/pcs7-documentation.

Subject of Part F-"Industrial Security"

In the production and automation environment, it is primarily about the availability of the
system. The protection of information and data are of secondary importance.
Industrial Security must not be reduced to simply information security in the automation
environment. The transmitted information controls and monitors physical and/or chemical
processes, directly and deterministically. The actual information is therefore comparatively
unimportant when viewing the possible IT-based damages in the production environment
(exception: company secrets, for example, recipes). What is important is the possible (and
intended) direct effect of information on the process control and process monitoring based
on the use of automation technology. If this information flow is disrupted, a series of
consequences can be expected:
● Limited process availability up to the loss of process control
● Direct maloperation
● System standstills, production downtimes and product contamination
● Damages to the system
● Danger to life and limb
● Dangers to the environment
● Violations of legal or official conditions
● Criminal or civil charges
● Loss of public reputation (damage to public image)
● Financial losses
As result, the objectives of protection in process automation and in traditional information
technology differ significantly: For office applications, confidentiality and data protection are
most important. For automation systems, maintaining operational safety without exception
and protecting life and limb are of the highest priority. The decisive prerequisite in this case
is maintaining the availability of the system and, as a result, the unrestricted control over the
process. The consequence resulting from this is that the proven methods and approaches in
the office environment cannot be applied one-to-one in automation engineering.
This manual serves as a compendium to the product documentation for SIMATIC PCS 7.
The basic tasks for creating and configuring the project are described in the form of
instructions with numerous illustrations.
The compendium directly reflects the recommended method for configuration, which is
based on the results of a great deal of practical experience. The description relates to
working with the project and the parameter settings of the components it contains but not the
application itself.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

8 Configuration Manual, 03/2016, A5E35032082-AB
 Preface

Additional support
If you have any questions about using the products described in the manual, contact your
Siemens representative in the sales and service locations that are responsible for your
company.
You can locate your contact at http://www.siemens.com/automation/partner.
The guide that provides details of the technical documentation offered for the individual
SIMATIC products and systems is available at http://www.siemens.com/simatic-tech-doku-
portal.
The online catalog and online ordering system are available at
www.siemens.com/industrymall.

Training center
Siemens offers a number of training courses to familiarize you with the SIMATIC PCS 7
process control system. Contact your regional training center or the main training center
(http://www.sitrain.com) in 90327 Nuremberg, Germany.

Technical support
You can contact technical support for all Industry Automation and Drive Technology products
using the Support Request (http://www.siemens.com/automation/support-request) web form.
Additional information on our Technical Support is available on the Internet at
https://support.industry.siemens.com/sc/ww/en/sc/2554.

Industry Online Support on the Internet

In addition to our documentation, our expertise is also available to you on the Internet
(https://support.industry.siemens.com).
Here you will find:
● An overview of the most important technical information and solutions for PCS 7 under
www.siemens.de/industry/onlinesupport/pcs7.
● The newsletter, which will keep you constantly up-to-date with the latest information about
our products.
● The right documents for you via the search facility in our Industry Online Support portal.
● A forum in which users and experts from all over the world exchange ideas and
experiences.
● Your local contact partner for Industry Automation and Drive Technology.
Information about local service, repairs, spare parts. The "Services" section offers even more
options.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 9
Preface

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

10 Configuration Manual, 03/2016, A5E35032082-AB
What's new? 2
In addition to updating the existing contents for SIMATIC PCS 7 V8.1, you can find the
following additions:
● Section "Network security > Data exchange for operating and monitoring with remote OS
clients (Page 53)"
● Section "User management and operator permissions > Domain controller (Page 120)"
– Installation and configuration of the first domain controller (DC1) (Page 122)
– Installation and configuration of an additional domain controller (DC2-DCn) in an
existing domain (Page 141)
– FSMO roles (Page 154)
– Users and user groups (Page 162)

See also
Installing the operating system (Page 70)

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 11
What's new?

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

12 Configuration Manual, 03/2016, A5E35032082-AB
Security strategies 3
3.1 General information
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) encourages
plant operators in their security advisories to take additional defensive measures to protect
against cybersecurity risks. ICS-CERT recommends:
● Minimizing network exposure for all control system devices. Critical devices should not
have direct access to the Internet.
● Placing control system networks and remote devices behind firewalls and isolating them
from the company network.
● Using secure methods such as Virtual Private Networks (VPNs) when remote access is
required. Keep in mind that VPN is only as secure as the connected devices.

3.2 Concept of "defense in depth"

The concept of defense in depth is a security strategy in which several layers of the defense
position themselves around the system to be protected, in this case the automation system
(like "peeling an onion").
The implementation of a defense-in-depth requires a combination of various security
measures. They include:
● Physical security measures
Control of physical access to spaces, buildings, individual rooms, cabinets, devices,
equipment, cables and wires. The physical security measures must be based around the
security cells and the responsible persons. It is also important to implement physical
protection at remote single station systems.
● Organizational security measures
Security guidelines, security concepts, set of security rules, security checks, risk
analyses, assessments and audits, awareness measures and training.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 13
Security strategies
3.2 Concept of "defense in depth"

The physical and organizational security measures are summarized under the heading
"Plant Security".
● Division into security cells
A sufficiently secured network architecture subdivides the instrumentation and control
network into different task levels.
Perimeter zone techniques should be employed. In this case, this means using exported
data and not data used directly for process control that are available on a system (data
memory database). The system is located between the main access point for data input
(front-end firewall) and the deeply embedded access point for data input (back-end
firewall), or the third network section of a triple-homed firewall (located in three networks).
● Securing access points to the security cells
A single access point to each security cell (should be a firewall system) for the
authentication of users, employed devices and applications, for the direction-based
access control and the assignment of access permissions as well as for detection of
break-in attempts.
The single access point functions as main access point to the network of a security cell
and serves as the first point of a control for access rights to network levels.
● Securing the communication between two security cells using an "unsecured" network
Certificate-based authenticated and encrypted communication should always be used
when the perimeter zone technique or standard application layer filtering technique is not
available. This can take place using tunneling protocols such as PPTP (Point-To-Point
Tunneling Protocol), L2TP (Layer Two Tunneling Protocol) or IPSec (IP Security) filtering
or even via channels that are also secured by server-based certificates, for example RDP
(Remote Desktop Protocol), a Windows Server terminal server securely published via
HTTPS or Windows Server Web server via the firewall using SSL (Secure Sockets Layer)
technology.
The measures concerning the security cells, such as forming security cells, securing access
points and the secure communication between different security cells, are summarized under
the heading "Network Security".
● System hardening
System settings of a computer that make it more resistant to attacks by malware.
● User management and role-based operator authorizations
Task-based operation and access authorizations (role-based access control)
● Patch management
Patch management is a regular procedure for installing patches on plant computers.
● Malware detection & prevention
Use of suitable and correctly configured virus scanners
Measures such as "system hardening", "user and patch management" as well as "malware
detection & prevention" are summarized under the heading "Integrity Protection or Endpoint
Protection".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

14 Configuration Manual, 03/2016, A5E35032082-AB
 Security strategies
3.3 Example configuration

The following figure shows the "defense-in-depth" strategy:

3.3 Example configuration

This compendium orients itself on the concept of defense-in-depth in its design and
structure. In line with the concept, the individual sections are divided into the measures of
network security (division into security cells, securing access points and secure
communication between components in different security cells) and the measures of system
integrity. This includes the sections "System hardening", "User management & operator
authorization", "Patch management" and "Virus scanners".

Note
Note that the example configuration presented in this section depicts a plant configuration
without any safety measures. The example configuration shown above is a negative
example from a security point of view. This document presents a step-by-step description of
how this plant configuration can be made more secure by implementing security measures.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 15
Security strategies
3.3 Example configuration

Example configuration
The measures presented in this compendium and configuration examples are illustrated
using the following example configuration:

The example configuration consists of a total of five S7 controllers that assume the
measuring and control tasks within the process-related system. Five OS servers (two
redundant pairs of servers and a single OS server) and four OS clients are planned for
controlling and monitoring. In addition, a Web server is envisaged for operator control and
monitoring via the corporate network and the Internet. For this, the terminal bus is connected
with the corporate network which, in turn, provides Internet access. An engineering station is
available for configuring the overall plant.
The industrial process plant is divided into two or more independent units. Three S7
controllers are used for the measuring and control tasks of Unit A, while two S7 controllers
are used for those of Unit B. The four OS clients should allow both units to be operated and
monitored. For this purpose, Unit A and B are each assigned a redundant OS server pair.
Unit A also features another OS server, which is not configured redundantly. An OS client is
to serve as a local operating station at a filling station.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

16 Configuration Manual, 03/2016, A5E35032082-AB
Network security 4
4.1 Automation and security cells
The strategy for dividing plants and connected plants into security cells increases the
availability of the overall system. Failures or security threats that result in failure can thereby
be restricted to the immediate vicinity. During the planning of the security cells, the plant is
first divided into process cells and then into security cells based on the security measures.
You can learn about the criteria for dividing a system into automation and security cells in the
document "Security Concept PCS 7 & WinCC (Basic)
(http://support.automation.siemens.com/WW/view/en/60119725))"

Example configuration: Division into security cells

The example configuration consists of two independent units with a common operating and
monitoring level. Hence, a security cell for Unit A can be formed with the S7 controllers and
OS servers assigned to Unit A in each case. A separate security cell is formed for Unit B and
the controllers and OS servers assigned to this unit.
The division of the overall plant into a security cell for Unit A as well as Unit B also demands
the separation of plant bus and terminal bus. The OS clients, on which operating and
monitoring of the entire process (Units A and B) is to be performed, are assigned to the
security cell of Unit A. As a result, a communication between the security cells of Unit A and
B must be ensured.
The Web server, which is used for operating and monitoring from the corporate network or
from the Internet, is placed in a separate security cell (perimeter). The virus scanner server
and update server are also placed in this security cell. A quarantine PC is also implemented
in the perimeter security cell for the data exchange (project data/project backup) between the
security cells.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 17
Network security
4.1 Automation and security cells

The components of the production planning connection (SIMATIC IT), in turn, are combined
in a separate security cell (MES). This results in four different security cells (DCS1, DCS2,
MES and Perimeter) for the example configuration, which are shown in the following figure:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

18 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.2 Addressing and segmenting

4.2 Addressing and segmenting

IP address

Note
The term "IP Address" is used in this document in the sense of an IPv4 address. The
opposite of this is an IPv6 address. This document does not deal with the IPv6 address.

An IP address consists of 32 bits. Usually, a notation is used with four decimal numbers
(from 0 to 255) delimited by periods (decimal point notation). Each decimal number, also
known as an octet, represents 8 bits (1 byte) of the 32-bit address:

IPv4 address
Binary 1100 0000 1010 1000 0000 0001 0000 1010
Hexadecimal C0 A8 01 0A
Decimal 192 168 1 10

Subnets
The strategy of a spatial and functional division of an automation plant must also be reflected
in the network configuration. This can be achieved by the selection of the IP address range
and the formation of subnets associated with it. Subnets are used to subdivide an existing
network into additional, smaller networks (PCN, CSN, MON, perimeter, etc.) without
requiring additional Class A, Class B or Class C IP addresses.
A subnet therefore refers to a network section for the Internet protocol (IP). The subnet
groups several sequential IP addresses by means of a subnet mask. Hence, the subnet
mask divides an IP address into a network part and a host part. It has the same structure as
an IP address (4 bytes). By definition, all bits of the network part must be set to TRUE = 1
and all bits of the host part to FALSE = 0.

Network and host part of an IP address

IP address 141.84.65.2 1000 1101 0101 0100 0110 0101 0000 0010
Network mask 255.255.255.0 1111 1111 1111 1111 1111 1111 0000 0000
Network 141.84.65.0 1000 1101 0101 0100 0110 0101 0000 0000
0000 0000 0000 0000 0000 0000 1111 1111
Host 2 0000 0000 0000 0000 0000 0000 0000 0010

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 19
Network security
4.2 Addressing and segmenting

Network classes
The address classes are defined by the Internet Assigned Numbers Authority (IANA) to
systematically assign address prefixes to networks of varying size. The class of addresses
indicates how many bits were used for the network ID and how many bits were used for the
host ID. The address classes also determine the number of networks possible and the
number of hosts per network. Of the five address classes, Class A, B and C are reserved for
IPv4 unicast addresses. Private IP address ranges have also been defined within these
three network classes. From a network security point of view, these private IP address
ranges have the advantage that they cannot be forwarded (routed) on the Internet. As a
result, a direct attack from the Internet on a system PC is already being prevented.

Network address range CIDR notation Number of addresses Network class

10.0.0.0 – 10.255.255.255 10.0.0.0/8 224 = 16.777.216 Class A:
1 private network with
16,777,216 addresses
172.16.0.0 – 172.31.255.255 172.16.0.0/12 220 = 1.048.576 Class B:
16 private networks with
65,536 addresses each
192.168.0.0 – 192.168.0.0/16 216 = 65.536 Class C:
192.168.255.255 256 private networks with
256 addresses each

4.2.1 Example configuration: Division into subnets

Addresses from the private IP address range for Class C shall be used for addressing the
automation networks in the example configuration (CSN plant bus, PCN terminal bus, etc.).
This range features:
● 256 Class C networks (subnet 192.168.0.x to 192.168.255.x)
● 254 hosts per network (IPv4 address 192.168.x.1 to 192.168.x.254)
The network address 192.168.2.0 must be divided into four subnets of equal size (same
number of hosts in the subnet). The division into four networks (Perimeter Network, Process
Control Network 1, Process Control Network 2 and Manufacturing Operations Network)
requires 2 bits (22 = 4).
This enables segmentation into four networks with the following subnet mask:
1111 1111.1111 1111.1111 1111.1100 0000 = 255.255.255.192

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

20 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.2 Addressing and segmenting

This results in the following networks:

● Network 1: Manufacturing Operations Network (IP addresses of the MON)

Network 1: Manufacturing Operations Network

Network address 192.168.2.0
Address of the first host 192.168.2.1
Address of the last host 192.168.2.62
Broadcast address 192.168.2.63

● Network 2: Process Control Network 1 (IP addresses of the PCN1 - Unit A)

Network 2: Process Control Network 1

Network address 192.168.2.64
Address of the first host 192.168.2.65
Address of the last host 192.168.2.126
Broadcast address 192.168.2.127

● Network 3: Process Control Network 2 (IP addresses of the PCN2 - Unit B)

Network 3: Process Control Network 2

Network address 192.168.2.128
Address of the first host 192.168.2.129
Address of the last host 192.168.2.190
Broadcast address 192.168.2.191

● Network 4: Perimeter Network (IP address of the Perimeter network)

Network 4: Perimeter Network

Network address 192.168.2.192
Address of the first host 192.168.2.193
Address of the last host 192.168.2.254
Broadcast address 192.168.2.255

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 21
Network security
4.2 Addressing and segmenting

Example: The four computers with the IP addresses 192.168.2.10, 192.168.2.100,

192.168.2.149 and 192.168.2.201 are located in different subnets among which the routing
must be performed. This means broadcast addresses in the Manufacturing Operations
Network are not transmitted to the other subnets. Failures in individual subnets will remain
localized to these subnets.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

22 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.2 Addressing and segmenting

The routing between the various networks is performed by the two back-end firewalls in the
aforementioned configuration. This requires establishing an appropriate network rule within
the firewall used. The following figure shows an example of this rule in the Microsoft
Forefront TMG Management:

This network rule performs the routing between the PCN, MON and Perimeter networks in
the example configuration. The data traffic between the security cells of units A and B is
routed through the two back-end firewalls.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 23
Network security
4.2 Addressing and segmenting

4.2.2 Example configuration: Setting of IP addresses and subnet mask

Procedure
The following procedure is described using the example of the "Windows 7" operating
system.
To set the IP address, subnet mask and default gateway, follow these steps:
1. Open the Network and Sharing Center with the command "Start > Control Panel >
Network and Sharing Center".
The "Network and Sharing Center" dialog box opens.
2. In the left navigation pane of the dialog, click on "Change adapter settings".
The "Network Connections" dialog box opens.
3. Open the status display of the corresponding network connection (Process Control
Network 1 or 2, Perimeter Network or Manufacturing Operations Network) by double-
clicking on the icon.
The status display dialog of the network connection opens.
4. Click the "Properties" button.
Enter the administrator password, if required. If you are logged on as an administrator,
confirm the execution of the application.
The "Local Security Policy" dialog box opens.
5. Select the "Internet Protocol Version 4(TCP/IPv4)" option and click on the "Properties"
button.
The properties dialog of the "Internet Protocol Version 4(TCP/IPv4)" option opens.
6. Select "Use the following IP address" option and enter the IP address of the
corresponding computer in the "IP address" box.
7. In the "Subnet mask" box, enter the subnet mask of the computer.
8. Confirm the changes with "OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

24 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.2 Addressing and segmenting

Example
In the following figure, a computer located in Process Control Network 1 is addressed. The
OS server with the name "OSS1A" has a network connection to the Process Control Network
1. The subnet mask 255.255.255.192 was specified for this network by the division into
subnets. Hence, the IP addresses available within this network are the addresses from
192.168.2.65 to 192.168.2.126.
The IP address 192.168.2.101 was specified for the OS server "OSS1A" and inserted in the
"IP address" box of the properties dialog for "Internet Protocol Version 4(TCP/IPv4)". The
subnet mask 255.255.255.192 specified above was entered in the "Subnet mask" box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 25
Network security
4.2 Addressing and segmenting

This procedure is used to assign the corresponding IP address to all computers.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

26 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.3 Name resolution

4.3 Name resolution

Computer name
The computer name is used to uniquely identify a computer within a network. This is the
prerequisite for communication with the computer. The name has to be uniquely associated
with the computer. This ensures that a computer can be reliably located. Inadvertent double
allocation of computer names can cause unpredictable behavior during communication.
Since the NetBIOS name is derived from the computer name (see NetBIOS name) and the
NetBIOS name must be unique for NetBIOS name resolution, the computer name may not
be longer than 15 characters.
The computer name must be unique and should allow an inference to be made about the
function of the computer.

Note
You can learn about the rules for assigning the computer name in the installation manual
"SIMATIC Process Control System PCS 7 PC Configuration"
(http://support.automation.siemens.com/WW/view/en/90635791).
Refer also to the following documents:
• FAQ "Why is the underscore character not permitted in computer names in PCS 7?"
(http://support.automation.siemens.com/WW/view/en/67794552)
• Microsoft Support Center: "Naming conventions in Active Directory for computers,
domains, sites, and OUs" (http://support.microsoft.com/kb/909264/en)
You can find more naming conventions in the following documents:
• Manual "SIMATIC Process Control System PCS 7 Engineering System"
(http://support.automation.siemens.com/WW/view/en/90663380) section "Rules for
naming in the PH"
• Online help WinCC Information system "Working with projects > Appendix > Invalid
characters"
• "Projects.pdf" file. You can find this file in the installation folder of the SIMATIC product
range of Siemens AG.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 27
Network security
4.3 Name resolution

Changing the computer name

NOTICE

The computer name may be changed only prior to the installation of SIMATIC PCS 7.

Procedure
The following procedure is described using the example of the "Windows 7" operating
system.
To change the computer name, follow these steps:
1. Select the command "Start > Control Panel > System".
The "System" dialog opens.
2. Click the "Change settings" link in the "Settings for computer name, domain and
workgroup" section.
If prompted, enter the administrator password as required. If you are already logged on
as an administrator, confirm the execution of the application.
The "System Properties" dialog box opens.
3. Click "Change" in the "Computer name" tab.
The "Computer Name/Domain Changes" dialog box opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

28 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.3 Name resolution

4. In the "Computer name" box, enter the name of the computer.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 29
Network security
4.3 Name resolution

NetBIOS name
Source: Microsoft Support Center "TCP/IP Fundamentals for Microsoft Windows"
A NetBIOS name is a 16-byte (16-character) name based on the computer name that
designates a NetBIOS application in the network. The service uses the first 15 characters of
the computer name plus the character 0x20 as the 16th character as the exact name. A
NetBIOS name is either a unique (exclusive) name or a (non-exclusive) group name. If a
NetBIOS application communicates with a specific NetBIOS application on a single
computer, unique names are used. If a NetBIOS process communicates with several
NetBIOS applications on different computers, a group name is used.

Fully Qualified Domain Name

The "Fully Qualified Domain Name" (FQDN) is comprised of the computer name and the
domain name and, therefore, cannot be used multiple times.

NetBIOS name resolution

Source: Microsoft Support Center "TCP/IP Fundamentals for Microsoft Windows"
NetBIOS name resolution is the process of assigning an IPv4 address to a NetBIOS name.
The following methods can be used for the successful NetBIOS name resolution:
● Default methods for the NetBIOS name resolution

Method Description
NetBIOS name A local table stored in RAM that contains the NetBIOS names with the corre-
cache sponding IPv4 addresses recently resolved by the local computer.
NBNS A server that provides the NetBIOS names. For WINS, this is the Microsoft
implementation of an NBNS.
Local broadcast NetBIOS Name Query Request broadcast messages that are transmitted to
the local subnet.

● Additional Microsoft-specific methods for the NetBIOS name resolution

Method Description
Lmhosts files Local text file in which NetBIOS names are assigned to their IPv4 addresses.
The Lmhosts file is used for NetBIOS applications that are executed on com-
puters in remote subnets.
Local host name Configured host name of the computer
DNS resolution Local RAM-based table that contains domain names and IPv4 address as-
cache signments from entries in the local HOSTS file as well as the names to be
resolved via DNS.
DNS server Server that manages databases with assignments of IPv4 addresses to host
names.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

30 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.3 Name resolution

NetBIOS name resolution by using the Lmhosts file

Source: Microsoft Support Center "TCP/IP Fundamentals for Microsoft Windows"
The Lmhosts file is a static text file with NetBIOS names and IPv4 addresses. NetBT uses
the Lmhosts file to resolve NetBIOS names for NetBIOS applications that are executed on
remote computers in a network without NBNS. The Lmhosts file features the following
characteristics:
● Entries consist of an IPv4 address and a NetBIOS computer name, for example:
131.107.7.29 OSSRV01
● The entries are not case-sensitive.
● A separate file is located on every computer in the folder %windir%\system32\Drivers\etc.
This folder also contains an Lmhosts sample file (Lmhosts.sam). You can create your own
file with the name Lmhosts or copy Lmhosts.sam in this folder to Lmhosts.
To avoid network broadcasts, the entries in the Lmhosts file must be made with the keyword
#PRE. The keyword #PRE specifies which entries should be loaded into the NetBIOS name
cache as permanent entries at the beginning. With previously loaded entries, the network
broadcasts are reduced since names could possibly be resolved via the cache instead of via
broadcast queries.
Example:

192.168.2.101 OSSRV01A #PRE

192.168.2.102 OSSRV01B #PRE

NetBIOS name resolution with NetBIOS name server

Source: Microsoft Support Center "TCP/IP Fundamentals for Microsoft Windows"
To resolve NetBIOS names of NetBIOS applications that are executed on local computers or
remote computers, NetBT usually utilizes a NetBIOS name server (NBNS). If an NBNS is
used, the name resolution is performed as follows:
1. NetBT checks the NetBIOS name cache for assignments of NetBIOS names to IPv4
addresses.
2. If the name cannot be resolved with the NetBIOS name cache, NetBT sends a NetBIOS
Name Query Request unicast message to the NBNS that contains the NetBIOS name of
the target application.
3. If the NBNS can resolve the NetBIOS name for an IPv4 address, the NBNS returns the
IPv4 address to the transmitting host with a positive NetBIOS name query response
message. If the NBNS cannot resolve the NetBIOS name for an IPv4 address, the NBNS
sends a negative NetBIOS name query response message.
On a computer under Windows Server 2008 R2 or Windows 7, three attempts are made to
locate the primary NBNS server. If no response is received or a negative NetBIOS name
query response message indicates that the name resolution has failed, a computer under
Windows attempts to contact additional WINS servers.
WINS (Windows Internet Name Service) is the Windows implementation of a NetBIOS Name
Server (NBNS), which provides a distributed database for registering and querying dynamic
assignments of NetBIOS names to the IPv4 addresses used in the network.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 31
Network security
4.3 Name resolution

Host name resolution (DNS name resolution)

Source: Microsoft Support Center "TCP/IP Fundamentals for Microsoft Windows"
Host name resolution refers to the correct assignment of a host name to an IP address. A
host name is an alias name that was assigned to an IP node. The IP node is, therefore,
identified as TCP/IP host. The host name can consist of up to 255 characters. It can contain
alphabetical and numerical characters, hyphens and periods. You can assign multiple host
names to the same host.
For Winsock programs (Windows Sockets), e.g. Internet Explorer and the FTP utility, one of
two values can be set for the desired target: The IP address or a host name. If the IP
address is specified, the name resolution is not required. If a host name is specified, it must
be resolved in an IP address before IP communication with the required resource can start.
Different types of host names can be used. A freely selectable name and a domain name are
usually used. A freely selectable name is an alias name for an IP address that can be
assigned and used by individual persons. A domain name is a structured name in a
hierarchically organized namespace that is referred to as DNS (Domain Name System). An
example for a domain name is www.microsoft.com.
Freely selectable names are resolved via entries in the "Hosts" file. This file is located in the
folder "systemroot\System32\Drivers\etc".
To resolve domain names, DNS name queries are sent to a configured DNS server. The
DNS server is a computer on which entries with assignments of domain names to IP
addresses or information about other DNS servers are stored. The DNS server resolves the
queried domain name into an IP address and returns the result.
You have to configure your computers with the IP address of the responsible DNS server to
resolve domain names. You have to configure Active Directory-based computers under
Windows or operating systems of the Windows Server product family with the IP address of
a DNS server.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

32 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.3 Name resolution

Example configuration: Name resolution

The example configuration was divided into four or five security cells (DCS1, DCS2, MES
and Perimeter). None of these security cells contains a WINS server for the NetBIOS name
resolution. A DNS server for the host name resolution is also lacking in every security cell.
The "lmhosts" file should be configured on every computer to ensure an error-free name
resolution.
First, a computer name must be assigned to each computer. To do so, proceed as described
under the heading "Changing the computer name". Note that the computer name may be
changed only prior to the installation of SIMATIC PCS 7 and prior to the initial opening of the
WinCC Explorer.
After a computer name and an IP address have been specified for every computer, you can
configure the "lmhosts" file. Proceed as follows:
1. Open the file "Lmhosts.sam" (e.g. using "Notepad").
It is located in the directory "%windir%\system32\Drivers\etc" and is a sample file that can
be used as a template to create the individual Lmhosts file.
2. Add a new line at the end of the file for each computer of the plant.

3. Configure all computers, including those located in the security cells "MES", "Perimeter",
"DCS1" and "DCS2".
4. Save the file with "Save As" and assign the name "Lmhosts" (without file extension) to the
file.
5. Copy the file from the computer where you have created it to all other computers in the
plant.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 33
Network security
4.4 Managing networks and network services

4.4 Managing networks and network services

The management of the network settings and required network services of a process control
system can be organized in a distributed or central way. Mixed configurations of central and
distributed management are possible.

Central management (domain, active directory)

All required information and settings can be configured centrally:
● IPv4 addresses, subnet mask, default gateway, DNS server via DHCP
● DNS and NetBIOS name resolution via DNS or WINS
● Time synchronization (NTP, SNTP)

Distributed management (Windows workgroups)

All of the required information and settings must be configured locally on every individual
computer within the process control system.

RADIUS
RADIUS (Remote Access Dial In User Service) is a network protocol that provides central
authentication, authorization and user account management. The central user authentication
of network components should preferably be performed using a central RADIUS server, e.g.
the Network Policy Server (NPS) as a part of the MS Active Directory. You can find
information on the configuration of RADIUS options for network devices in the manuals for
the SCALANCE X network devices.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

34 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.5 Access points to the security cells

DHCP
DHCP (Dynamic Host Configuration Protocol) allows client computers and other TCP/IP-
based network devices to be assigned valid IP addresses automatically. The additional
configuration parameters required by these clients and devices, for example, DNS server,
WINS server, default gateway, subnet mask can also be provided.
DHCP was developed with the following two application scenarios in mind:
● Large networks with frequently changing topology.
● Users who simply want to have "a network connection" and do not want to deal with the
network configuration in any detail.
Both of these application scenarios do not apply to an automation system. Using DHCP
involves several security risks that cannot be outweighed by the benefits of an automation
plant.

Note
Using a DHCP server
The use of a DHCP server for automatic network configuration (IPv4 address, subnet mask,
etc.) is not recommended for security reasons.
If a DHCP server is used, address reservations must be used.

4.5 Access points to the security cells

4.5.1 Overview
One of the factors for designing the security cells is that they should only have one access
point. Any access to the security cell via this access point may occur only after verifying the
legitimacy (persons and devices have to be authenticated and authorized) and must be
logged. The access points should prevent unauthorized data traffic to the security cells while
allowing authorized and necessary traffic for smooth operation of the system.
The access point to a security cell can be designed differently depending on requirements of
the configuration and functionality.
You can find information about the various concepts in the manual "SIMATIC Process
Control System PCS 7 Security Concept PCS 7 & WinCC (Basic)"
(http://support.automation.siemens.com/WW/view/de/60119725/0/en).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 35
Network security
4.5 Access points to the security cells

4.5.2 Automation Firewall Appliance

To implement the different solutions for access points according to the PCS 7 & WinCC
security concept (front-end/back-end firewall, triple-homed firewall or access point firewall),
the Automation Firewall Appliance is available as a SIMATIC PCS 7 add-on.
The current solution for the automated firewall is based on the firewall solution from
Microsoft (Microsoft Forefront Threat Management Gateway 2010). An optimized rule base
can be created using the Industrial Wizard and integrated SecureGUARD Appliance
Management.

Note
The current solution of the automation firewall is based on the Microsoft Forefront TMG
2010. As of December 2012, this Microsoft product ceased to be available. An alternative
firewall solution is currently being evaluated. However, a final result was not available at the
time of this document's publication.
For this reason, the required firewall rules have been neutrally formulated over the course of
development.
You can find the complete range of products for automation firewalls in the PCS 7 Add-on
catalog. You can download this catalog from the SIMATIC PCS 7 website
(https://www.automation.siemens.com/mcms/process-control-systems/en/simatic-pcs-
7/Pages/simatic-pcs-7.aspx).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

36 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.5 Access points to the security cells

4.5.3 Example configuration: Access rules

Access rules
In the example configuration, the access points to the four security cells (DCS1, DCS2, MES
and Perimeter) are secured with firewalls. The result is a front-end/back-end firewall solution
(with two back-end firewalls).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 37
Network security
4.5 Access points to the security cells

To ensure unrestricted operation, a data exchange between the different security cells is
required. To ensure this data exchange, the corresponding access rules must be stored in
the firewalls that act as access point to the security cells.
The following table features the required cross-security cell data exchange:

Security cell Security cell Via Purpose

Perimeter DSC1 Back-end firewall 1 • Distribution of Windows updates (security patches
and critical patches) via PCS7WSUS to all comput-
ers within PCN1
• Distribution of virus signature files via VSCAN to all
computers within PCN1
• Communication between PCS7WEBSRV1 and
OSS1A/B, OSS2 and ES1
• File transfer between QPC and ES1
Perimeter DCS2 Back-end firewall 2 • Distribution of Windows updates (security patches
and critical patches) via PCS7WSUS to all comput-
ers within PCN2
• Distribution of virus signature files via VSCAN to all
computers within PCN2
• Communication between PCS7WEBSRV1 and
OSS3A/B
Perimeter MES Back-end firewall 1 • Distribution of Windows updates (security patches
and critical patches) via PCS7WSUS to all comput-
ers within MON
• Distribution of virus signature files via VSCAN to all
computers within PCN2
MES DCS1 Communication between the SIMATIC IT servers and
OSS1A/B and OSS2
DCS1 DCS2 Back-end firewalls 1 and • Communication between OSS3A/B in PCN2 and the
2 OS clients in PCN1
• Communication between OSS3A/B in PCN2 and the
ES1 in PCN1

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

38 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.5 Access points to the security cells

Based on the table above, the following access rules apply to back-end firewalls 1 and 2:
● Example configuration: Access rules for back-end firewall 1

Name Action Protocols From To

Perimeter WSUS to Allow HTTP, [WSUS] [OS Server]
PCN1 OS Server #1 HTTPS [192.168.2.201] [192.168.2.101,
192.168.2.102]
[OS Server]
[192.168.2.103]
PCN1 OS Server to Allow HTTP, [OS Server] [WSUS]
Perimeter WSUS #1 HTTPS [192.168.2.103] [192.168.2.201]
PCN1 OS Server to Allow HTTP, [OS Server] [WSUS]
Perimeter WSUS #2 HTTPS [192.168.2.101, [192.168.2.201]
192.168.2.102]
Perimeter Virus Scan Allow HTTP, PatternUpdate] [OS Server]
Server to PCN1 OS HTTPS [192.168.2.204] [192.168.2.101,
Server #1 192.168.2.102]
[OS Server]
[192.168.2.103]
PCN1 OS Server to Allow HTTP, [OS Server] [PatternUpdate]
Perimeter Virus Scan HTTPS [192.168.2.103] [192.168.2.204]
Server #1
PCN1 OS Server to Allow HTTP, [OS Server] [PatternUpdate]
Perimeter Virus Scan HTTPS [192.168.2.101, [192.168.2.204]
Server #2 192.168.2.102]
PCN1 OS Server to Allow IPSec1 [OS Server] [OS WebNavigator]
Perimeter OS WebNa- [192.168.2.103] [192.168.2.203]
vigator #1
PCN1 OS Server to Allow IPSec1 [OS Server] [OS WebNavigator]
Perimeter OS WebNa- [192.168.2.101, [192.168.2.203]
vigator #2 192.168.2.102]
Allow Web servers to Allow IPSec1 [OS WebNavigator] [OS Server]
access PCN1 #1 [192.168.2.203] [192.168.2.101,
192.168.2.102]
[OS Server]
[192.168.2.103]
1)The use of the "IPSec" protocol type requires a certificate-based signed connection via IPSec conforming to the security
policy between the components in the various security cells. If there is no such connection, "All outbound traffic" can also
be set. However, this dispenses the port filtering for such a FW rule.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 39
Network security
4.5 Access points to the security cells

● Example configuration: Access rules for back-end firewall 2

Name Action Protocols From To

Perimeter WSUS to Allow HTTP, [WSUS] [OS Server]
PCN2 OS Server #1 HTTPS [192.168.2.201] [192.168.2.141,
192.168.2.142]
PCN2 OS Server to Allow HTTP, [OS Server] [WSUS]
Perimeter WSUS #1 HTTPS [192.168.2.141, [192.168.2.201]
192.168.2.142]
Perimeter Virus Scan Allow HTTP, [PatternUpdate] [OS Server]
Server to PCN2 OS HTTPS [192.168.2.204] [192.168.2.141,
Server #1 192.168.2.142]
PCN2 OS Server to Allow HTTP, [OS Server] [PatternUpdate]
Perimeter Virus Scan HTTPS [192.168.2.141, [192.168.2.204]
Server #1 192.168.2.142]
PCN2 OS Server to Allow IPSec1 [OS Server] [OS WebNavigator]
Perimeter OS WebNa- [192.168.2.141, [192.168.2.203]
vigator #1 192.168.2.142]
Allow Web servers to Allow IPSec1 [OS WebNavigator] [OS Server]
access PCN1 #1 [192.168.2.203] [192.168.2.141,
192.168.2.142]
1)The use of the "IPSec" protocol type requires a certificate-based signed connection via IPSec conforming to the security
policy between the components in the various security cells. If there is no such connection, "All outbound traffic" can also
be set. However, this dispenses the port filtering for such a FW rule.

The example configuration contains only one engineering station in security cell DCS1 which
is also being used for the configuration of the OS servers OSS3A and OSS3B. To ensure the
configuration steps, specifically loading the OS, you also have to manually configure the
following access rules:

Name Action Protocols From To

PCN2 OS Server to Allow IPSec1 [OS Server] [ES Engineering Sta-
PCN ES – Engineering [192.168.2.141, tion] [192.168.2.111]
Station #1 192.168.2.142]
PCN ES Engineering Allow IPSec1 [ES Engineering Sta- [OS Server]
Station to PCN2 OS – tion] [192.168.2.111] [192.168.2.141,
Server #1 192.168.2.142]
1)The use of the "IPSec" protocol type requires a certificate-based signed connection via IPSec conforming to the security
policy between the components in the various security cells. If there is no such connection, "All outbound traffic" can also
be set. However, this dispenses the port filtering for such a FW rule.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

40 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.5 Access points to the security cells

It should also be possible to operate and monitor the OS servers OSS3A and OSS3B from
the OS clients in the PCN. To ensure this, you need to configure the following access rules:

Name Action Protocols From To

PCN2 OS Server to Allow IPSec1 [OS Server] [ES Client]
PCN OS Client #1 [192.168.2.141, [192.168.2.91]
192.168.2.142]
PCN2 OS Server to Allow IPSec1 [OS Server] [ES Client]
PCN OS Client #2 [192.168.2.141, [192.168.2.92]
192.168.2.142]
PCN2 OS Server to Allow IPSec1 [OS Server] [ES Client]
PCN OS Client #3 [192.168.2.141, [192.168.2.93]
192.168.2.142]
PCN2 OS Server to Allow IPSec1 [OS Server] [ES Client]
PCN OS Client #4 [192.168.2.141, [192.168.2.94]
192.168.2.142]
PCN OS Client to Allow IPSec1 [ES Client] [OS Server]
PCN2 OS Server #1 [192.168.2.91] [192.168.2.141,
192.168.2.142]
PCN OS Client to Allow IPSec1 [ES Client] [OS Server]
PCN2 OS Server #2 [192.168.2.92] [192.168.2.141,
192.168.2.142]
PCN OS Client to Allow IPSec1 [ES Client] [OS Server]
PCN2 OS Server #3 [192.168.2.93] [192.168.2.141,
192.168.2.142]
PCN OS Client to Allow IPSec1 [ES Client] [OS Server]
PCN2 OS Server #4 [192.168.2.94] [192.168.2.141,
192.168.2.142]
1)The use of the "IPSec" protocol type requires a certificate-based signed connection via IPSec conforming to the security
policy between the components in the various security cells. If there is no such connection, "All outbound traffic" can also
be set. However, this dispenses the port filtering for such a FW rule.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 41
Network security
4.5 Access points to the security cells

Example configuration: Web publishing of a PCS 7 web server at the front-end firewall
To access a Web server in the Perimeter network from an external network, it must be
published via the front-end firewall. The technique of Web publishing, which is supported by
the automation firewall and is used here, offers better security than the obsolete technique of
Web tunneling or Web forwarding. Opening port 80 or 443 and subsequently simply passing
the queries through the front-end firewall directly to the Web server, as called for in this
technique, should no longer be applied.
During Web publishing (see the following figures), the Web client does not directly access
the Web server from the external network. Instead, it directs its query to the automation
firewall (1). The automation firewall forwards this verified query to the Web server (2), and
receives the requested information in return (3). It then forwards this information to the Web
client (4).

Only HTTPS should be allowed between Web client and automation firewall. This ensures
the authenticity of the TMG via server certificate is guaranteed and encrypts the
communication between Web client and firewall, thereby protecting it against manipulation.
Depending on the desired internal security, either HTTP or HTTPS can be used for the
automation firewall access to the Web server.
If Web clients from an external network are to access the Web server, it must be published
at the front-end firewall. If Web clients from an MES network (MON) should be allowed
access, however, the publishing is performed at the back-end firewall.

Note
The steps for configuring the OS Web server and the settings of the Web client are
described in the manual "SIMATIC Process Control System PCS 7 Web Option"
(http://support.automation.siemens.com/WW/view/de/90682846).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

42 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.5 Access points to the security cells

Example configuration: Web publishing of a PCS 7 web server at the front-end firewall
In order to reach the PCS 7 Web server that is located in the Perimeter network from another
internal network, for example, from the Manufacturing Operations Network (MON) via a Web
client, the Web server must first be published at the back-end firewall 1.
Since this functionality is not implemented in the Industrial Wizard, you need to perform the
publishing rule using the Microsoft Forefront TMG Management Console in the back-end
firewall.

Network Intrusion Prevention / Network Intrusion Detection System

An intrusion detection or intrusion prevention system (IDS/IPS) is an essential part of a
modern, secure Web gateway. The Network Inspection System (NIS) in Microsoft Forefront
TMG 2010 is an implementation of the IDS/IPS functionality. NIS is designed specifically for
detecting and preventing attacks on Microsoft operating systems and applications. NIS is
based on signatures developed by the Microsoft Malware Protection Center (MMPC) and
distributed via Windows Update or WSUS.
NIS in Microsoft Forefront TMG 2010 offers protection against known attacks using low-level
network protocol inspection. Each data packet is analyzed for protocol status, structure and
content of the message. NIS checks the received data packet only after it has been checked
by the firewall policy and any assigned Web or application filters.

Additional information
You can find the complete range of products for automation firewalls in the PCS 7 Add-on
catalog. You can download this catalog from the SIMATIC PCS 7 website
(https://www.automation.siemens.com/mcms/process-control-systems/en/simatic-pcs-
7/Pages/simatic-pcs-7.aspx).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 43
Network security
4.6 Secure communication between security cells

4.6 Secure communication between security cells

4.6.1 Overview
In many cases, data exchange between components located in different security cells is
required for the regular operation of a plant. The following variants have to be differentiated
here:
● Data exchange on the CSN level
Data exchange between automation systems in different security cells
● Data exchange on the PCN level
Data exchange for operating and monitoring with remote OS clients, which means OS
clients located in other security cells than the corresponding OS server(s).

4.6.2 Data exchange between automation systems

4.6.2.1 Introduction
The data exchange between automation systems in different security cells should be
performed via VPN connection (IPSec). This communication can be established using two
SCALANCE S security modules.
The following figure shows an example of communication between automation systems in
different security cells:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

44 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

In the internal networks protected by SCALANCE S, IPSec tunnels provide the node for a
secured data connection through the unsecured external network.
This gives the data exchange of the devices via the IPSec tunnels in the VPN the following
properties:
● The exchanged data are interception-proof so that the confidentiality of the data is
secured.
● The exchanged data are tamper-proof, which secures the integrity of the data.
● Authenticity
SCALANCE S uses the IPSec protocol for tunneling (tunnel mode of IPSec).

Note
You can find additional information on SCALANCE S in the manual "SIMATIC NET Industrial
Ethernet Security Basics and application"
(https://support.industry.siemens.com/cs/ww/en/view/67437017).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 45
Network security
4.6 Secure communication between security cells

4.6.2.2 Example configuration: Establishing secure communication between security cells with
SCALANCE S

Introduction
In this example, the tunnel function is configured in the "Default mode" configuration view. In
this example, SCALANCE S Module 1 and SCALANCE S Module 2 form the two endpoints
of the tunnel for the secured tunnel connection.
The following figure shows an example of a VPN tunnel (IPSec tunnel with two SCALANCE
S modules):

The internal (secure) network is connected to SCALANCE S at Port 2 ("internal network

port"). In the internal network, the network node is represented by an automation system in
each case which is connected to the "internal network" port 2 (Port 2 = green) of a
SCALANCE S module.
● AS1: Represents a node of the CSN in security cell 1 (internal network 1)
● AS2: Represents a node of the CSN in security cell 2 (internal network 2)
● SCALANCE S Module 1: SCALANCE S module for security cell 1
● SCALANCE S Module 2: SCALANCE S module for security cell 2
The public, external network ("unsecured network") is connected to the "external network"
port (Port 1 = red) of the SCALANCE S module.
The engineering station is used for configuration. To do so, the "Security Configuration Tool"
must be installed on the ES.

Overview of configuration steps

1. Configuring SCALANCE S and networks
2. Configuring IP settings of automation systems
3. Creating project and security modules
4. Configuring the VPN group
5. Loading the configuration in SCALANCE S
6. Test

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

46 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

Configuring SCALANCE S and networks

To set up the SCALANCE S and the network connections, follow these steps:
1. Start up the SCALANCE S according to the operating instructions.
2. Establish the physical network connections by inserting the connectors of the network
cables into the ports (RJ45 sockets):
– Connect Control System Network 1 with Port 2 of Module 1 and Control System
Network 2 with Port 2 of Module 2.
– Connect Port 1 of Module 1 and Port 1 of Module 2 with a network switch and
establish the "external" network.
– Switch on the participating components.

Configuring IP settings of automation systems

Set up the following IPv4 address settings for the automation systems:

Automation system IPv4 address Subnet mask Standard gateway

AS 1 192.168.1.1 255.255.255.0 192.168.1.200
AS 2 192.168.2.1 255.255.255.0 192.168.2.200

The following figure shows an example of how the IPv4 address of the automation system is
set:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 47
Network security
4.6 Secure communication between security cells

Creating project and security modules

The SCALANCE S modules are configured with the "Security Configuration Tool".
To create the project and the modules for the example configuration, follow these steps:
1. Start the "Security Configuration Tool" software.
2. Create a new project with the command "Project > New".
3. Create a new user with user name and associated password.
The user is automatically assigned the "Administrator" role. Confirm the entries with "OK".
A new project is created. The "Selection of a module or software configuration" dialog
opens.
4. Select the following options in the "Product type", "Module" and "Firmware release"
areas:
– Product type: SCALANCE S
– Module: S612
– Firmware release: V44

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

48 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

5. In the "Configuration" area, enter the MAC address in the specified format.

Note
The MAC address is printed on the front of the SCALANCE S module.

6. In the "Configuration" area, enter the external IP address (192.0.0.201) and the external
subnet mask (255.255.0.0) in the specified format and confirm your entries with "OK".
7. In the "Interface routing external/internal" area, select the entry "Routing mode" from the
drop-down list.
8. Enter the internal IP address 192.168.1.200 and the internal subnet mask 255.255.255.0
in the specified format and confirm the dialog with "OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 49
Network security
4.6 Secure communication between security cells

9. Select the "Insert > Module" menu command.

The "Selection of a module or software configuration" dialog opens.
10. Repeat the steps for the second security module. In doing so, assign the following
address parameters to the security module:
– IP address (ext.): 191.0.0.202
– Subnet mask (ext.): 255.255.0.0
– Interface routing external/internal: Routing mode
– IP address (int.): 192.168.2.200
– Subnet mask (int.): 255.255.255.0

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

50 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

Configuring the VPN group

Two security modules can establish an IPSec tunnel for secure communication when they
are assigned to the same group in the project. To configure a tunnel connection, follow these
steps:
1. In the Security Configuration Tool, select the entry "VPN groups" and select the "Insert >
Group" command in the shortcut menu.
A VPN group is created. The VPN group automatically receives the name "Group1".

2. Select the entry "All modules" in the navigation window.

3. Select the first security module in the content area and drag it to the VPN group "Group1"
in the navigation window.
The security module is assigned to this VPN group. The color of the key icon changes
from gray to blue.
4. Select the second security module in the content area and drag it to the VPN group
"Group1" in the navigation window.
The second security module is also assigned to this VPN group.
5. Save the project with "Project > Save".
This concludes the configuration of the tunnel connection.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 51
Network security
4.6 Secure communication between security cells

Loading the configuration to the security modules

To load the configuration created in the SCALANCE S modules, follow these steps:
1. Select the command "Transfer > To all modules…".
The "Download configuration data to security modules" dialog opens.

2. Select the command "To all modules ..." in the "Transfer" menu.
3. Select both security module with "Select all".
4. Start the download process with "Start".
If the download process takes place without any errors, the security modules are
restarted automatically and the new configuration is activated.

Note
You can find more information about configurations and application possibilities of SIMATIC
security products under FAQ
(http://support.automation.siemens.com/WW/view/en/67329379) or in the Siemens Industry
Online Support Portal.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

52 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

4.6.3 Data exchange for operating and monitoring with remote OS clients

Introduction
The data exchange between PCS 7 OS stations (PCS 7 OS servers and PCS 7 OS client(s))
located in different security cells (possibly spatially separated, i.e. in different buildings)
should be encrypted. Such encrypted communications may on the one hand can be
established by means of two SCALANCE S security modules, as shown and described in the
previous section (see figure Variant 1 below). On the other hand, such encrypted
communication can be configured directly at the relevant PCS 7 OS stations (see figure
Variant 2 below). This configuration is described in the following.

Version 1: Communication with two Version 2: Encrypted communication directly

SCALANCE S modules from the OS server to the OS client

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 53
Network security
4.6 Secure communication between security cells

The two versions shown here have two major distinctions. One is the end point of the
encryption. With variant 1, the end point is always the SCALANCE S security module. With
version 2, the end point is the PCS 7 OS client on the one hand and the PCS 7 OS server on
the other. The second major difference is the scope of the encryption. In the first version, the
entire communication is encrypted by the encoded tunnel which exists between the
SCALANCE S security modules. In version 2, only the communication between PCS 7 OS
server and PCS 7 OS client is encrypted. Any other possible communication is not encrypted
in version 2.
Depending on the risk analysis, you can also use a combination of both versions.

Encrypted communication (Version 2)

When encrypted communication is used, the only connections established are to computers
for which a common PSK (pre-shared key) has been set. Only systems configured with the
same PSK can communicate with each other. The Windows "Security Support Provider
Interface" (SSPI) is used for communication. This interface allows authenticated and
encrypted communication between the participating PCS 7 OS systems.
In addition, a fixed port can be set for communicate. This fixed communication port is used
for the TCP and UDP based communication between the participating PCS 7 OS systems.
This enables port filtering for a communication through a firewall.

Note
You can enable encrypted communication for the stations that actively engage in process
mode:
• Operator station
• Engineering station
• SIMATIC Route Control
• SIMATIC BATCH

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

54 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

Encrypted communication is configured using the Simatic Shell. Proceed as follows:

1. Select the SIMATIC Shell in the Windows Explorer.
2. Open the shortcut menu and select the "Settings" command.

The "Communication Settings" dialog opens.

3. Select the "Encrypted communication" check box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 55
Network security
4.6 Secure communication between security cells

Note
You can find additional information on migration mode in the "SIMATIC Process Control
System PCS 7 – PC Configuration"
(http://support.automation.siemens.com/WW/view/en/90635791) manual.

The "Set PSK" dialog box opens.

4. Specify a PSK and click "OK".
The PSK must be at least 8 characters long and include uppercase/lowercase letters as
well as numbers and symbols. The key strength is displayed next to the text box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

56 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

5. You can set the TCP/UDP port for communication in the range 1024 to 65535 in the
"Encrypted communication" area.
If port 8910 is used for example, communication specifically for the PCS 7 OS on this
station will run exclusively through TCP port 8910, UDP port 8910 and ICMP.

The migration mode is relevant for an upgrade scenario if the settings for encrypted
communication are to be changed during ongoing operation of the plant.

Note
Using SIMATIC NET Softnet IE-RNA in connection with WinCC Secure Communication
When using SIMATIC NET Softnet IE-RNA in PCS 7 V8.1, you must disable secure
communication (WinCC Secure Communication) option in SIMATIC Shell (see PCS 7
Readme").

Note
You also find information on this in the manual "SIMATIC Process Control System PCS 7 PC
Configuration" (http://support.automation.siemens.com/WW/view/en/90635791).

See also
PCS 7 Readme 1 (http://support.automation.siemens.com/WW/view/en/101094704)

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 57
Network security
4.6 Secure communication between security cells

4.6.4 Quarantine station (file server)

Introduction
A quarantine station is a central data communication point in a plant. A quarantine station is
used to transfer data (for example, configuration or engineering data) to certain computers
within the automation system or from computers of the automation system to the quarantine
station.
The quarantine station is therefore important when the recommendations relating to system
hardening are implemented, particularly for blocking the USB ports in the automation system
(see section Working with mobile data media (Page 84)). As a central data communication
point, the quarantine station should be especially protected from a security point of view.
Therefore, the local security measures (for example, firewall, virus scanner, etc.) should be
configured more strictly for it.
As shown in the example configuration, the quarantine station should be positioned in the
Perimeter network. A corresponding rule must be stored in the back-end firewall(s) to ensure
communication between the quarantine station and the computers in security cells DCS1
and DCS2 via the back-end firewall(s).

Firewall rules
If the automation firewall is used as back-end firewall, the quarantine station (FTP server) at
the back-end firewall can be published for the security cells DCS1 and DCS2 (see Web
publishing of the PCS 7 Web server at the front-end firewall or Web publishing of the PCS 7
Web server at the back-end firewall). For this purpose, a corresponding publishing rule (FTP
forwarding) must be configured with the "Publish Non-Web Server Protocols" task in the
automation firewall (Microsoft Forefront TMG Management Console):

Name Action Traffic From To Networks

Publish FTP serv- Allow FTP server Anywhere IP address of PCN1
er quarantine station

This FTP publication of the FTP server (quarantine station) achieves a higher security
compared to a pure port release.

Note
You can find the complete range of products for automation firewalls in the PCS 7 Add-on
catalog. You can download this catalog from the SIMATIC PCS 7 website
(https://www.automation.siemens.com/mcms/process-control-systems/en/simatic-pcs-
7/Pages/simatic-pcs-7.aspx).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

58 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

If a firewall is used that does not offer the possibility of an FTP publication, the following
tables show the required firewall rules:
● Front-end firewall

Name Action Protocols From To

ECN computer to Allow FTP / 21 IP address of the IP address of the Q-
perimeter Q-PC computer in the Office PC in the Perimeter
network network
Perimeter Q PC to Allow FTP / 21 IP address of the Q- IP address of the
ECN computer PC in the Perimeter computer in the Office
network network

The rules in the front-end firewall are only required if FTP data access from the ECN
(Enterprise Control Network) to the quarantine station is planned in the Perimeter network.
● Back-end firewall

Name Action Protocols From To

Perimeter Q-PC to Allow FTP / 21 IP address of the Q- IP address of the
PCN ... #1 PC in the Perimeter computer in PCNx
network (e.g. ES1)
PCN … to Perimeter Allow FTP / 21 IP address of the IP address of the Q-
Q-PC #1 computer in PCNx PC in the Perimeter
(e.g. ES1) network

FTP server configuration

Enabling FTP Service

The following procedure is described using the example of the "Windows 7" operating
system.
To enable FTP Service on the quarantine station, follow these steps:
1. In the Windows Start menu, select the command "Start > Control Panel > Programs and
Features".
The "Uninstall or change a program" dialog opens.
2. Click "Turn Windows features on or off" in the navigation pane.
Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application. The "Windows Features" dialog
opens.
3. Enable the "FTP Service" feature in the area "Internet Information Services > FTP
Server".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 59
Network security
4.6 Secure communication between security cells

4. Enable the "IIS Management Console" and "IIS Admin Service" features in the "Web
Management Tools" area.

5. Click "OK" to apply the changes

The selected features are enabled.

Staring FTP Service

To launch the Microsoft FTP Service, follow these steps:
1. Right-click on "Computer" and select the shortcut menu command "Manage".
Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application. The "Computer Management"
dialog opens.
2. In the navigation pane, select "Services and Applications > Services".
The right pane of the dialog lists all available services .
3. Select "Microsoft FTP Service" and check the following properties:
– Startup type: Automatic
– Status: Started
If the property values differ, open the "Properties" dialog from the shortcut menu of the
service and change the properties as described above.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

60 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

Configuring the FTP server

To configure the FTP server, follows these steps:
1. In the Windows Start menu, right-click on "Computer" and select the shortcut menu
command "Manage".
Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application.
The "Computer Management" dialog opens.
2. In the navigation pane, click on the item "Services and Applications > Internet Information
Services (IIS) Manager."
The Internet Information Services (IIS) Manager window opens in the right pane of the
"Computer Management" dialog.

3. To add an FTP site as the FTP root directory, create a new folder on the data partition
(D:\) with the name "Data Exchange" (D:\Data Exchange).
4. Right-click on the "Sites" icon. Select the "Add FTP Site" command from the shortcut
menu.
The "Add FTP Site" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 61
Network security
4.6 Secure communication between security cells

5. In the "Add FTP Site" dialog, enter a name for the FTP site and the physical path to the
directory you have created (D:\Data Exchange).

6. Click "Next".
The "Binding and SSL Settings" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

62 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.6 Secure communication between security cells

7. Make the following settings in the "Binding and SSL Settings" dialog:
– The "Binding" area, "IP address" box: Select "All Unassigned" in the drop-down list.
– SSL area: Enable the option "None".

8. Click "Next".
The "Authentication and Authorization Information" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 63
Network security
4.6 Secure communication between security cells

9. Make the following settings in the "Authentication and Authorization Information" dialog:
– "Authorization > Access allowed for" area: Select the entry "Specific users" from the
drop-down list and enter the authorized users in the box below.
– "Permissions" area: Enable the check boxes "Read" and "Write".

10.Click "Finish" to complete the configuration.

Patch management, virus protection and whitelisting

The quarantine station is an "entrance gate" for data to the automation system. Hence,
malware can also enter the system via this station. This is why this station must be
integrated and included in the patch management and virus protection concept of the
system. In other words, the quarantine station must regularly receive the latest Windows
updates. The WSUS server, which is also located in the Perimeter network, can serve as
update source. In addition, a current virus scanner must be installed on the quarantine
station. The station receives current virus definitions via the virus scanner server, which is
also located in the Perimeter network. Whitelisting is an additional protection that should also
be implemented at the quarantine station (see the corresponding sections of this document).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

64 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.7 Configuration of the SCALANCE X network components

4.7 Configuration of the SCALANCE X network components

It is especially important to observe the following points when configuring the network
components (e.g. Ethernet switches):
● Disabling non-required ports
● Changing the preconfigured default password
● Disabling non-required protocols

Note
Read the operating instructions for the corresponding devices when configuring the
SCALANCE X Industrial Ethernet switches.
If you use third-party switches to configure the various networks switches, follow the
corresponding manufacturer operating instructions when configuring these devices.

Disabling non-required ports

Unused ports (ports of the Ethernet switch) that are not required and to which no terminal
devices are connected must be disabled. To do this, go to the "Switch Ports" WBM menu
and disable the non-required ports in this window.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 65
Network security
4.7 Configuration of the SCALANCE X network components

This dialog provides information about the current status of the port. In addition, various port
settings can be performed:
● Port: Shows the port number.
● Type: Shows the type of port.
● Mode: Shows the transmission rate (10 or 100 Mbps) and the transfer procedure (full-
duplex or half-duplex).
● Negotiation: Indicates whether auto-negotiation is enabled or disabled.
● Status: Indicates that the port is switched on.
● Link: Indicates the connection status to the network.
If a port is not used, the status of this port must be set to "Disabled".

System passwords
Change passwords for the users "Admin" and "User" in the "System Passwords" dialog. The
following passwords are preset in the factory state:
● "User" user: user
● "Admin" user: admin
You need to log on as the administrator to change the passwords. Click the "Set Value"
button to confirm your changes.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

66 Configuration Manual, 03/2016, A5E35032082-AB
 Network security
4.7 Configuration of the SCALANCE X network components

Disabling non-required protocols

The access options to the IE switch are specified in the "Agent Configuration" dialog, which
can be accessed via the "Agent" folder icon. Furthermore, the network configuration for the
IE switch can be defined here.

Use of static IP addresses

Note that a static IP address is used with a subnet mask for this setting. For more on this,
see section "Managing networks and network services" (Page 34), subsection "DHCP
(Dynamic Host Configuration Protocol)".

Specifying protocols
We recommend that you only specify the "HTTPS" protocol for accessing the IE switch. To
do this, disable all protocols (for example, FTP, TELNET, E-mail) in the "Agent
Configuration" dialog and select only the "HTTPS only" protocol.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 67
Network security
4.7 Configuration of the SCALANCE X network components

Additional information
You can find more information in the following manuals:
● SIMATIC NET Industrial Ethernet Switches SCALANCE X-300 / X-400 Configuration
Manual (http://support.automation.siemens.com/WW/view/en/88213893)
● SIMATIC NET Industrial Ethernet Switches SCALANCE X-200 Configuration Manual
(http://support.automation.siemens.com/WW/view/en/102051772)
Support for realizing and implementing network security in your plant is available from the
Industrial Security Services. You can find additional information and the corresponding
contacts at (http://www.industry.siemens.com/topics/global/en/industrial-
security/services/Pages/Default.aspx) .
You can also send your query directly via e-mail to "[email protected]".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

68 Configuration Manual, 03/2016, A5E35032082-AB
System hardening 5
5.1 Overview
Source: https://www.bsi.bund.de
"The term "hardening" in information security is understood to mean the removal of all
software components and functions that are not absolutely necessary to fulfill a given task."
In other words, hardening summarizes all measures and settings with the goal of
● Reducing the opportunities to exploit vulnerabilities in software
● Minimizing potential methods of attack
● Limiting the tools available for a successful attack
● Minimizing the available rights following a successful attack
● Increasing the probability of detecting a successful attack
This is intended to increase local security and the resilience of a computer to withstand
attacks.
It follows that a system can be described as "hardened" if:
● The software components and services installed are limited to those that are required for
the actual operation
● Restrictive user management is implemented
● The local Windows Firewall is enabled and it is restrictively configured

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 69
System hardening
5.2 Installing the operating system

5.2 Installing the operating system

Introduction
The operating system and SIMATIC PCS 7 software are pre-installed on the SIMATIC PCS
7 Industrial Workstation (IPC).

Note
When performing a manual installation, you need to comply with the requirements and
procedures described in the following documents:
• PCS 7 Readme (http://support.automation.siemens.com/WW/view/en/101094704)
• Manual "SIMATIC Process Control System PCS 7 PC Configuration"
(http://support.automation.siemens.com/WW/view/en/90635791)

For a SIMATIC PCS 7 computer that fulfills a specific function in an automation plant (OS
server, OS client, engineering station, etc.), some programs installed during the installation
of the operating system may not be required. These programs should be removed. In most
cases, this involves "Windows components", such as Games, Calculator, Notepad,
WordPad, Paint, etc.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

70 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.2 Installing the operating system

Removing Windows components

The following procedure is described using the example of the "Windows 7" operating
system.
To remove unneeded Windows components, follow these steps:
1. In the Windows Start menu, select the command "Start > Control Panel > Programs and
Features".
The "Uninstall or change a program" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 71
System hardening
5.2 Installing the operating system

2. Click "Turn Windows features on or off" in the navigation pane.

Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application.
The "Windows Features" dialog opens.

3. Disable the unused components.

4. Confirm the changes with "OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

72 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.2 Installing the operating system

Disabling services
In accordance with the specifications for hardening a system, unneeded services should be
disabled in addition to the software packages that are not required for the operation of a
system.
The following services can be disabled:

Service Operating system

Certificate distribution Windows 7, Windows Server 2008 R2
Diagnostic Policy Service Windows 7, Windows Server 2008 R2
Diagnostic Service Host Windows 7, Windows Server 2008 R2
Windows Color System Windows 7, Windows Server 2008 R2
Windows Connect Now - Config Registrar Windows 7
Performance Logs and Alerts All
Windows Presentation Foundation Font Cache All

If you select the "System hardening" option during the installation of SIMATIC PCS 7, the
services listed in the table service are disabled.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 73
System hardening
5.2 Installing the operating system

Procedure
To disable a service, follow these steps:
1. In the Windows Start menu, right-click on "Computer" and select the shortcut menu
command "Manage".
Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application.
The "Computer Management" dialog opens.
2. In the navigation pane, select "Services and Applications > Services".
The right pane of the dialog lists all available services . The "Status" column indicates
whether the service is currently running. The "Startup type" column shows how the
service is started, "Manual" or "Automatic", or if the service has not been started,
"Disabled".

3. In the right area, select the service to be disabled, and open the properties dialog of the
service by double-clicking on it.
4. Click "Stop" to stop the service.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

74 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.3 Security Controller

5. Select "Disabled" as the startup type and confirm your changes with "OK".

See also
Microsoft Security Bulletin MS13-098 (https://technet.microsoft.com/en-
us/library/security/ms13-098.aspx)

5.3 Security Controller

The Security Controller (as of PCS 7 V8.0) is a program that performs application-specific
security settings. The Security Controller (SC) is integrated by default in SIMATIC PCS 7
and SIMATIC WinCC.
The option enabling SC to automatically perform the settings must be explicitly confirmed
when the program is installed.
The communication to non-configured devices or to other subnets, as well as the use of non-
configured users is not possible or extremely restricted.
When changing the plant configuration or changing the roles of users, be aware that the
local firewall configuration or the local group memberships must be adapted accordingly.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 75
System hardening
5.3 Security Controller

The Security Controller makes the following settings automatically:

● Group Settings (User Management – SIMATIC Logon)
● Registry settings
● Windows Firewall exceptions
● DCOM settings
● File and/or Directory Permissions
These settings are performed depending on the installation (PCS 7 OS Server, PCS 7 OS
Client, ES, etc.) and for the following software packages:
● Automation License Manager
● File and Printer Sharing
● SIMATIC Batch
● SIMATIC Communication Services
● SIMATIC Logon
● SIMATIC Management Console
● SIMATIC NET PC Software
● SIMATIC PC Diagnosis Application
● SIMATIC PCS 7 Engineering System
● SIMATIC Route Control
● SIMATIC SFC Visualization (SFV)
● SIMATIC STEP 7 components
● SIMATIC WinCC
● SIMATIC WinCC OPC
● SIMATIC WinCC User Archive
● SQL Server (SQL Server version depends on the SIMATIC PCS 7 version)

Note
You can also find information on this in the manual "SIMATIC Process Control System PCS
7 PC Configuration" (http://support.automation.siemens.com/WW/view/en/90635791).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

76 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.4 Windows Firewall

5.4 Windows Firewall

Introduction
As described in the "Security Controller" (Page 75) section, Security Controller (as of PCS 7
V8.0) or SIMATIC Security Control (<PCS 7 V8.0) makes setting relating to the Windows
Firewall. With respect to the example configuration in which communication of PCS 7
computers must be guaranteed among various subnets, the Windows Firewall needs to be
manually adapted.

Example configuration: Windows Firewall

The following procedure is described using the example of the "Windows 7" operating
system.
To prevent the Windows Firewall from blocking the communication, for example between the
OS Web server with the IP address 192.168.2.203 and the OS server OSS1A with the IP
address 192.168.2.101, which are located on different subnets (Perimeter network and
PCN1), the following changes must be made in the Windows Firewall or in the firewall rules:
1. Select the command "Start > Control Panel > System and Security > Windows Firewall":
The "Windows Firewall" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 77
System hardening
5.4 Windows Firewall

2. Click "Advanced Settings" in the left navigation pane.

Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application.
The "Windows Firewall" dialog box opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

78 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.4 Windows Firewall

3. In the left navigation pane, click "Inbound Rules".

The "Inbound Rules" are displayed.

4. Open the properties of an active file and printer sharing rule with a double-click.
The properties dialog of this rule opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 79
System hardening
5.4 Windows Firewall

5. Open the "Scope" tab.

The "Remote IP address" area shows the IP address range for which this firewall rule
does not block the inbound communication.
In the case of the figure below, the communication is allowed only with computers in the
"Local subnet". Communication with computers in a different subnet is thus blocked.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

80 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.4 Windows Firewall

6. In order to allow communication of OS server "OSS1A" to the OS Web server with the IP
address 192.168.2.203 in the subnet "Perimeter network", click the "Add" button in the
"Remote IP Address".
The configuration dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 81
System hardening
5.4 Windows Firewall

7. Select the option "This IP address or subnet:" and enter the "IP address" of the
communication partner. If you configure the firewall rules on OS server "OSS1A", enter
the IP address of the OS Web server 192.168.2.203 in this dialog and confirm the entry
with the "OK" button.

8. Confirm the change with "OK".

9. Adapt all inbound and outbound rules accordingly.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

82 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.5 BIOS settings

5.5 BIOS settings

The following BIOS settings should be performed on each computer in your plant:
● The access to the BIOS must be protected with a password. The password must be set
by an administrator and handled as confidential.
● The boot sequence of the computer must be set in the BIOS in such a way that it boots
from the hard drive. This means that the hard drive must be set as the first boot medium.
This will make it more difficult to boot from other media, such as CD or USB.
● The startup order of the various media of the computer must be set in the BIOS in such a
way that the hard disk is started first. This will make it more difficult to boot from other
media, such as CD or USB.
● The USB ports must be disabled, unless they are required for peripheral devices, such as
mouse or keyboard.

Note
The settings for a specific computer depend on the installed BIOS (for example, the
manufacturer or version). The specific options of the setting can be found in the
corresponding system description.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 83
System hardening
5.6 Working with mobile data media

5.6 Working with mobile data media

5.6.1 Overview

Introduction
In addition to the definition and designation of mobile data media, this section provides
information about the settings to be performed with respect to mobile data media.

Mobile data media

Source:
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/
baust/b05/b05014.html
There are a multitude of different variants of mobile data media, including diskettes,
removable disks, CDs/DVDs, USB hard disks and also Flash memories such as USB sticks.
Given this multitude of forms and application areas, not all of the required security
considerations are taken into account at all times.
Mobile data media can be used for
● data exchange,
● data transport between IT systems that are not networked with each other, or between
different locations,
● archiving or storing backups, if other automated methods are not appropriate,
● storing data that are too sensitive to be stored on workstations or servers,
● mobile data usage or data generation (e.g. MP3 player, digital camera, etc.).

Definition of USB storage media

Source:
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/
m/m04/m04200.html
A variety of optional equipment can be connected to a PC via the USB interface. This
includes hard disks, CD / DVD burners and memory sticks, for example. USB memory sticks
consist of a USB connector and a memory chip. Despite their large capacity, they are small
enough that they can be designed as key chains, for example, and they can fit into any
pocket. The drivers for USB mass storage devices are already integrated in modern
operating systems so that no software installation is necessary to operate them. In general,
this measure does not relate exclusively to USB memory media, but generally to all USB
devices that can store data. Among others, USB printers and USB cameras can be
"misused" to save the data. This is especially true for "smart" USB devices such as PDAs,
which can take on any USB identity if they are equipped with special software.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

84 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

Restricting user accesses to USB ports

Source:
https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKataloge/Inhalt/_content/
m/m04/m04200.html
Similarly to floppies, uncontrolled information and programs can be read or written via USB
storage media. Therefore, USB storage media should generally be dealt with similar to
conventional storage media. The access to floppy drives can be prevented relatively easily.
In contrast, the operation of USB storage media can be very difficult to prevent when the
USB interface is used for other devices. For example, there are laptops that only offer the
USB interface for connecting a mouse. This is why it is usually not practical to use a "USB
Lock" or to disable the interface by other mechanical means. The use of interfaces should
therefore be regulated by assigning appropriate rights on the operating system level or with
the help of additional programs.

Working with USB ports

In addition to the BIOS settings for disabling the USB port (see section "BIOS settings
(Page 83)"), unwanted access can also be restricted using Windows settings. Blocking the
USB ports via the BIOS settings or the hardware profile can prohibit unauthorized use of
USB storage media.

Restricting access to USB storage media using Windows

The following describes various procedures that show how Windows resources (Windows 7
or Windows Server 2008) can be used to prevent or restrict access to USB storage media:
● Blocking access to USB storage media using group policy
● Regulating the use of USB storage media using group policy
● Disabling the Autoplay function using group policy
● Disabling the Autorun functions using group policy

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 85
System hardening
5.6 Working with mobile data media

5.6.2 Blocking access to USB storage media using group policy in Windows 7 and
Windows Server 2008 R2

Procedure
1. Click "Start" and enter the string "gpedit.msc" in the "Search" box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

86 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

2. Start the group policy editor as an administrator.

This action requires administrator rights. For this reason, log in as administrator or start
the group policy editor as administrator. Enter the administrator password, if required.
The group policy editor opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 87
System hardening
5.6 Working with mobile data media

3. Select the folder "Computer Configuration > Administrative Templates > System>
Removable Storage Access".

4. Double-click the group policy "All Removable Storage classes: Deny all access".
The Group Policy properties dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

88 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

5. Select "Enabled" and confirm your changes with "OK".

6. Reboot the computer.

Note
Access to USB storage media can also be locked using a global group policy in a central
domain for all computers.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 89
System hardening
5.6 Working with mobile data media

5.6.3 Regulating the use of USB storage media using group policy in Windows 7 and
Windows Server 2008 R2
To use a USB storage medium on a computer, the device must first be installed. This always
occurs automatically when the device is initially connected to a computer. This installation
can be influenced via group policies:
● The installation of explicitly defined devices by the user can be allowed (positive list)
● The installation of explicitly defined devices by the user can be disallowed (negative list)
● Read and write access to mobile data media, such as USB sticks, USB HDDs, diskettes,
CD/DVD burners, can be configured.
In order to influence the installation of a device using group policies as described in the
above-mentioned situations, you need to know the hardware ID of the device.

Determining the hardware ID of a device

To determine the hardware ID of a device, follow these steps:
1. Connect the device with a Windows PC and wait until the installation of the corresponding
driver finishes.
Successful installation is indicated with the message "Your device is ready to use".

2. After successful device driver installation, open the Device Manager.

3. In the properties of the corresponding device, open to the "Details" tab.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

90 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

4. Select "Hardware IDs" from the drop-down list to display the hardware IDs of the device.
You need the hardware IDs to configure the respective group policies.

5. Select "Compatible IDs" from the drop-down list to display the compatible IDs of the
device.
You need the compatible IDs to configure the respective group policies.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 91
System hardening
5.6 Working with mobile data media

Uninstalling the device

After determining the hardware ID, the device must be uninstalled. In a subsequent step, you
explicitly permit the installation of the device via the group policies.
To uninstall the device, follow these steps:
1. Right-click on the device and select the command "Uninstall".

2. Click "OK" in the final dialog.

Correlation of group policies

The device installation characteristics can be specified through group policies. You can view
these group policies in the Group Policy Editor under "Computer Configuration >
Administrative Templates > System> Device Installation > Device Installation Restrictions". It
contains the following policies:
● Allow administrators to override "Device Installation Restriction" policies
● Prevent installation of devices not described by other policy settings
● Allow installation of devices that match any of these device IDs
● Prevent installation of devices that match any of these device IDs
● Allow installation of devices with drivers that correspond to these device setup classes
● Prevent installation of devices with drivers that correspond to these device setup classes
● Prevent installation of removable devices

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

92 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

The correlation of the above-mentioned group policies is shown in the following diagram:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 93
System hardening
5.6 Working with mobile data media

To allow only very specific devices on a computer based on the above-mentioned group
policies, follow these steps:
1. Prevent the installation of all devices on the computer.
2. Explicitly allow a specific device to be installed.
To prevent the installation of all devices on the computer, proceed as follows:
1. Ensure that all devices are uninstalled in the Device Manager.
2. Open the Group Policy Editor and navigate to the folder "Computer Configuration >
Administrative Templates > System > Device Installation > Device Installation
Restrictions".
The group policies are displayed in the right pane of the editor.
3. Open the properties of the group policy "Prevent installation of devices not described by
other policy settings" by double-clicking on the policy.
The properties dialog of the group policy opens.
4. Enable the group policy using the "Enabled" option and confirm the setting by pressing
"OK".
The installation of all devices on the computer is prohibited.
In the next step, you have to allow the users with administrator rights to suspend the policies
under "Device installer compliance". This then allows administrators to install hardware
drivers on the computer using the Add Hardware Wizard when restricted device installation
is enabled. To enable this group policy, follow these steps:
1. Open the properties of the group policy "Prevent installation of devices not described by
other policy settings" by double-clicking on the policy.
The properties dialog of the group policy opens.
2. Enable the group policy by selecting the "Enabled" option and confirm your setting with
"OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

94 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

In the next step, you have to explicitly permit the installation of certain devices (positive list).
Proceed as follows:
1. Open the properties of the group policy "Allow installation of devices that match any of
these device IDs" by double-clicking on the policy.
The properties dialog of the group policy opens.
2. Enable the group policy using the "Enabled" option.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 95
System hardening
5.6 Working with mobile data media

3. Click the "Show" button to display the devices that are enabled on your computer for
installation.
The released devices are displayed in the "Show content" dialog.

4. To release additional devices for installation on your computer, enter the hardware IDs of
the devices in the dialog.
You can determine the hardware ID of the device using the Device Manager.
5. Confirm the settings with "OK".
The installation and use of the specified devices are allowed by the user on your
computer. The administrator is not subject to this restriction.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

96 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

5.6.4 Disabling Windows Autorun / Autoplay for CD/DVD drives and USB storage
media
Source: http://support.microsoft.com/kb/967715/en
The main purpose of Autorun is to respond to hardware actions that are started on a
computer on the software side. Autorun offers the following features:
● Double-click
● Shortcut menu
● Autoplay
These features are typically called from removable media or network shares. With Autoplay,
a search is made for the "Autorun.inf" file on the medium and it is analyzed, if found. This file
specifies the commands to be executed by the system. Usually, this functionality is used to
start installation programs. However, this function can also be used to launch malicious
software such as Trojans.

The "ShellHWDetection" service is responsible for Autorun as well as for Autoplay.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 97
System hardening
5.6 Working with mobile data media

5.6.4.1 Disabling the Autoplay function using group policy in Windows 7 and Windows Server
2008 R2

Procedure
To disable the Autoplay function, follow these steps:
1. Click "Start" and enter the string "gpedit.msc" in the "Search" box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

98 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

2. Start the group policy editor as an administrator.

This action requires administrator rights. For this reason, log in as administrator or start
the group policy editor as administrator. Enter the administrator password, if required.
The group policy editor opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 99
System hardening
5.6 Working with mobile data media

3. Select the folder "Computer Configuration > Administrative Templates > Windows
Components > Autoplay Policies".
The associated policies for the folder are displayed in the right pane of the editor.

4. Double-click the group policy "Turn off Autoplay".

The properties dialog of the group policy opens.
5. Select the "Enabled" option.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

100 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

6. In the "Turn off Autoplay on:" area select the "All drives" option from the drop-down list.

7. Confirm the settings with "OK".

8. Reboot the computer.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 101
System hardening
5.6 Working with mobile data media

5.6.4.2 Disabling all Autorun functions using group policy in Windows 7 and Windows Server
2008 R2

Procedure
To disable the Autorun feature, follow these steps:
1. Click "Start" and enter the string "gpedit.msc" in the "Search" box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

102 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

2. Start the group policy editor as an administrator.

This action requires administrator rights. For this reason, log in as administrator or start
the group policy editor as administrator. Enter the administrator password, if required.
The group policy editor opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 103
System hardening
5.6 Working with mobile data media

3. Select the folder "Computer Configuration > Administrative Templates > Windows
Components > Autoplay Policies".
The associated policies for the folder are displayed in the right pane of the editor.

4. Double-click the group policy "Default Autorun Behavior".

The properties dialog of the group policy opens.
5. Select the "Enabled" option.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

104 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.6 Working with mobile data media

6. From the drop-down list in the "Default Autorun Behavior" area, select the "Do not
execute any autorun commands" option.

7. Confirm the settings with "OK".

8. Reboot the computer.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 105
System hardening
5.7 Whitelisting

5.7 Whitelisting

Introduction
The approach of whitelisting is that only applications deemed as trustworthy are allowed to
run on the computer system. These applications are maintained in a positive list (whitelist).
Since whitelisting is based on a positive list, there is no need for continuous updates to
combat new malware threats.

McAfee Application Control

McAfee Application Control allows blocking of unauthorized applications on servers and
workstations. This means that after the installation and activation of McAfee Application
Control on a computer system, all executable files are protected against changes and
unknown (not on the whitelist) executable files are prevented from being launched.
In contrast to simple whitelisting designs, McAfee Application Control uses a dynamic
trustworthiness model. This makes time-consuming manual updates of lists of approved
applications unnecessary. Updates can be installed in different ways:
● By trusted users
● By trustworthy manufacturers (certificate)
● From a trusted directory
● By means of binary file
● Using an updater (update programs such as WSUS or virus scanners)
Moreover, McAfee Application Control offers a feature that monitors memory, protects
against buffer overflow, and protects the files that run in memory.
McAfee Application Control can be administered in the following ways:
● Locally on a computer system (standalone)
● Centrally using McAfee ePolicy Orchestrator (ePO)
The decision as to whether McAfee Application Control is to be administered centrally or
locally should be made based on the number of systems to be maintained.
The following procedure applies regardless of the type of administration:
● After installing McAfee Application Control on a computer, the computer must first be
"solidified". This means that all connected local drives are scanned for executable files.
The duration of this procedure depends on the data volume and computing power and
may take several hours. This takes approx. 20-30 minutes for a PCS 7 OS server
installation and medium-sized projects with the current hardware.
● After enabling McAfee Application Control, the computer must be restarted. All
executables (exe, com, dll, bat, etc.) found during the scan are now protected against
manipulation (modification, renaming, deletion, etc.). New files cannot be executed.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

106 Configuration Manual, 03/2016, A5E35032082-AB
 System hardening
5.7 Whitelisting

Local administration of McAfee Application Control

Local administration is handled exclusively by means of command line input. The commands
are clear and self-explanatory. McAfee also provides good documentation. McAfee
Application Control can be operated conveniently using batch files or scripts.

Central administration of McAfee Application Control using McAfee ePO

McAfee ePO should be installed on a separate computer that contains the latest hardware. If
the system already contains an infrastructure computer (e.g. WSUS, virus scan server),
McAfee ePO can also be installed on this computer. McAfee ePO may not be installed on an
automation device or a domain controller.
The central administration (installation, configuration and monitoring) is performed via
McAfee ePO (McAfee ePolicy Orchestrator). McAfee ePO software is a management tool
that can manage all McAfee products and offers many network management and network
monitoring features, some free of charge.
Similar to an Active Directory Domain, central administration should be used in domains
consisting of approx. 10 or more managed systems. All local commands and options of
McAfee Application Control are also available remotely through ePO, some through pre-
defined tasks and the remainder through remote command line options. By comparison to
local administration, ePO offers superior monitoring functions and a clearly arranged event
management.

Additional information
The whitelist solution from McAfee Application Control has been approved for different
SIMATIC PCS 7 versions. You can find details about the compatibility with SIMATIC PCS 7
under Hotspot-Text (http://support.automation.siemens.com/WW/view/en/64847781).
You can find a description of the recommended procedure with McAfee Application Control
under Hotspot-Text (http://support.automation.siemens.com/WW/view/en/88653385).
In addition to the system hardening options described above, there are options that relate to
topics such as device hardening (of network devices and automation systems). They are part
of the industrial security services. You can find additional information and the corresponding
contacts at Hotspot-Text (http://www.industry.siemens.com/topics/global/en/industrial-
security/Pages/default.aspx).
You can also send your query directly via e-mail to "[email protected]".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 107
System hardening
5.8 SIMATIC S7 CPUs

5.8 SIMATIC S7 CPUs

Since the S7-400 controllers are the most critical components in a PCS 7 configuration, it is
recommended to configure a password and an appropriate protection level. The password
should have sufficient complexity. This means, for example, that the password should
consist of letters, numbers and special characters and be at least 8 characters long.
For S7-400 CPUs, a protection level can be defined in the project to prevent unauthorized
access to the CPU program.
You can choose between three protection levels. Protection level 1 means no access
restriction and protection level 3 has the strictest access restriction.
It is recommended that you configure at least protection level 2.
We also recommend that you use the increased password security option. The increased
password security is only relevant for the engineering system. When this option is selected,
the password entered in the data management is stored encrypted. This setting increases
the password security. The setting has no effect on the behavior in password mode.
You can find detailed information on protection levels of S7-400 CPUs under SIMATIC S7-
400H Fault-tolerant Systems
(http://support.automation.siemens.com/WW/view/en/82478488).
If S7-400 CPUs with an integrated Web server (S7-400 PN standard) are used, ensure that
the Web server is disabled in the CPU.

5.9 SIMATIC NET S7-400 - Industrial Ethernet CPs

In addition to an integrated Web server, Industrial Ethernet CPs (CP 443-1) include a variety
of other integrated servers (depending on the CP 443-1 type). For the purpose of system
hardening, you have to proceed as described in the preceding sections: All services and
procedures that are not required should be switched off or disabled. This means the
integrated servers, such as Web server, FTP server as well as SNMP should be disabled.
When using the CP 443-1 Advanced-IT, security settings have to be made with the Security
Configuration Tool (SCT).

IP access protection
The Industrial Ethernet CPs (CP 443-1) let you configure IP access protection by means of
ACL. Depending on the CP type, access can be configured for the following options:
● Web server
● FTP server
● Access protection for IP communication
This options lets you restrict access to the local S7 station to partners with specific IP
addresses. This means unauthorized partners do not have access to the S7 station.
You can find additional information on Security for SIMATIC NET in the "Industrial Ethernet
Security - Setting up security"
(http://support.automation.siemens.com/WW/view/en/60166939) manual.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

108 Configuration Manual, 03/2016, A5E35032082-AB
User Administration and Operator Permissions 6
6.1 Overview
Management of user and operator permissions involves the assignment of permissions in
the Windows environment as well as the assignment of roles to users based on activities.
These procedures are rigorously separated from each other, but both are strictly applied
under the principle of minimum required rights. A simple check can be performed with the
following questions:
● Who has to do what?
● Who is allowed to do what?
When logging onto the operating system, users must obtain the permissions required for
performing their tasks.
When logging onto the control system (e.g. at the OS client operating station or at the
engineering system, etc.), the operator/engineer must obtain the permissions required for
his/her role (e.g. as operator of a unit).

6.2 Windows workgroup or Windows domain

When Windows workgroups are used, the computers and users are managed decentralized
and locally on each individual computer. Within Windows domains (Active Directory),
centralized management of computers and users is possible.

When should plants be operated in Windows workgroups?

Operating a plant without centralized Windows management is recommended under the
following conditions:
● The plant has no more than approximately 10 computers.
● The plant does not undergo changes on a routine basis (for example, adding new users,
changing computers, introducing new security policies, changing passwords, etc.).
● The operation of a Windows domain infrastructure cannot be guaranteed due to a lack of
appropriately trained personnel.
● When the uniformity of network settings, computer configurations, security policies, users
and passwords can be guaranteed by meticulous, centralized plant documentation.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 109
User Administration and Operator Permissions
6.2 Windows workgroup or Windows domain

Special attention should be given to the following:

● The passwords of a user must always be changed on all affected computers.
● User accounts that are no longer needed must be removed everywhere.
● All computers in the plant must be configured with the same security policy (for example,
use of the LanManager V2 protocol, signing of SMB communication, passport complexity
and password age).
● A central record of assigned computer names and IP addresses must be created and
kept up-to-date.
● When local LMHost and Host files are used to support name resolution, all files must
always be updated at the same time.
● The operation of an entire plant can be seriously jeopardized by incorrect configuration of
a single computer. Moreover, it is often difficult and time-consuming to locate the error in
such cases.

When should plants be managed using a Windows domain (Active Directory)?

Configuration of centralized Windows management is recommended under the following
conditions:
● The plant contains 10 or more computers, or the number of computers, accounts, and
persons to be managed is very large.
● The plant undergoes changes on a routine basis (for example, adding new users,
changing computers, introducing new security policies, changing passwords, etc.).
● Fault-tolerant logon and user management are required.
● Centralized configuration of the individual computers is required.
● The company has its own security policy that requires an Active Directory domain.
Additional criteria for centralized management:
● Legal requirements and guidelines must be met (for example, use of Kerberos as an
authentication method or centralized logging of logon events, etc.).
● Centralized fault-tolerant IP address assignment (DHCP), centralized management of the
name resolution and registration of computers (DNS/WINS) are required.

Note
A fault-tolerant DHCP is only possible with a DHCP server based on Windows Server
2008 R2 (or later).

● The following requirements apply for a certificate server based on Active Directory
services:
– Secure Web services with encrypted communication via Secure Socket Layer (SSL)
– Signatures for applications and documents
– Authentication
– Certificate-based IP security communication and tunneling protocols such as the
Layer Two Tunneling Protocol (L2TP).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

110 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.3 Managing computers and users

6.3 Managing computers and users

The strategy of role-based access control includes restriction to minimally required rights and
functions for users, operators, devices, network and software components.
The users to be created in the operating system environment can be managed distributed or
from a central location.
Note the following in this regard:
● With the distributed management of users in workgroups, proceed according to the ALP
principle (Add User Account to Local Group and Assign Permission) recommended by
Microsoft. This means that local users must be grouped first so that the required
permissions (folder, releases, etc.) can be assigned to these groups.
● If management is performed centrally by a domain, the AGLP principle (Access Global
Local Permission) should be observed. According to this principle, the user accounts are
initially assigned to the domain-global groups in the Active Directory. These groups are
then assigned to local computer groups which, in turn, receive the permissions to the
objects.

Implementation
An automation system features stations/computers that must be permanently operational
and are used by several persons. An example is the operator control and monitoring device
(OS client). This station is permanently used by different operators for process control.
Using "non-personalized" device-specific user accounts for the user accounts of these
permanently used operator control and monitoring devices is recommended. Recommended
accounts for this purpose are those that allow establishing a reference to the respective
computer (e.g. OSClient_5). When using "Autologon" for logging onto the operating system,
this account must be used. For an engineering station that is not permanently in operation
but is used by different users/engineers for configuration, person-based user accounts are
recommended for each user/engineer.

Note
Membership in the Administrators group is only relevant for the installation of PCS 7 and the
configuration of the computer.

SIMATIC permission model

All the permissions to shares and folders in conjunction with SIMATIC products can be
assigned using the SIMATIC permission model. For this, local groups are created during the
installation and then assigned to the SIMATIC objects including all the required permissions.
This simplifies issuing the security settings since the respective user account or the group
only has to be added to the local SIMATIC group. Depending on the SIMATIC products
being installed, the number of added groups may differ.
In addition to the groups created by SIMATIC, membership in the local default group "Users"
is required. While membership in the "SIMATIC HMI" user group allows access to projects, it
does not grant the permission to access the operating system or to locally log on to the
desktop.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 111
User Administration and Operator Permissions
6.3 Managing computers and users

SIMATIC WinCC
During the installation of SIMATIC WinCC, the following three new user groups are created
for project shares and project file accesses:
● SIMATIC HMI
The members of this group may create, edit, start and remotely access local projects. By
default, the user who is carrying out the installation and the local administrator are
automatically added to this group. Additional users must be added manually by an
administrator of this group.
● SIMATIC HMI CS
The members of this group may only perform configurations; they may not make direct
changes to the runtime components. This group is empty by default and is reserved for
later use.
● SIMATIC HMI VIEWER
The members of this group may access configuration and runtime data only in read-only
mode. This group is primarily used for the accounts of Web publishing services, e.g. IIS
(Internet Information Services) for operating the WinCC Web navigator.
The first time a project is opened, a project share is automatically created and assigned the
required share permissions and security settings. The project shares and project file
accesses are managed automatically by the SIMATIC software.

SIMATIC NET
During the installation of SIMATIC NET via the frame setup of SIMATIC PCS 7, the following
local user group is added to the user and group administration:
● SIMATIC NET
All users working with PCS 7, PCS 7 OS or Route Control projects must be members of
this group.

SIMATIC BATCH
For SIMATIC BATCH, the following new user group is created during the installation:
● SIMATIC BATCH
The members of this group have full access to the SIMATIC BATCH directories "sbdata"
and "sbdata_backup". All user accounts working with SIMATIC BATCH must be a
member of this group.
The following shares are created:
● BATCH
The administration of share permissions occurs during installation. Add the "SIMATIC
BATCH" user group with full access permission in the security settings for shares (NTFS
permissions). The batch files are later created in these shares.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

112 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.3 Managing computers and users

SIMATIC Route Control

For SIMATIC Route Control, the following user groups are created additionally during the
installation:
● RC_ENGINEER
● RC_MAINTENANCE
● RC_OPERATOR_L1
● RC_OPERATOR_L2
● RC_OPERATOR_L3
By default, the user account to be installed is added to the "RC_MAINTENANCE" group
during the installation.
The following share is also being configured:
● RC_LOAD
The share permissions and security settings are automatically issued during the installation.
The settings are uniform for all five groups. This means access to the project does not
depend on the group to which the logged on account is added. The RC data are later saved
in these shares.

SIMATIC Management Console

The following user groups must be created for SIMATIC Management Console:
● SIMATIC Management Administrators
Members of this group have unrestricted access to the Management Console and all
permissions.
Enter the members of this group in the Administrators group on the target computers.
This gives the
members of this group permission to make changes to the installed software.
● SIMATIC Management Users
Members of this group are given restricted access to the Management Console and
"Read only" permission.
Include users that are assigned to the "SIMATIC Management Administrators" user group
on the Management Console computer in the "SIMATIC Management Users" user group
as well.
● Windows logon on the Management Console computer
All users of the Management Console must log on as an administrator (local
"Administrators" group or computer-specific administrator in the domain).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 113
User Administration and Operator Permissions
6.3 Managing computers and users

Example configuration
The following figure shows the example configuration:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

114 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.3 Managing computers and users

For the example configuration, the following users are created according to the above-
mentioned recommendations in this section:

User Description
ENG1 PCS 7 Engineer 1
• Works on the engineering station (ES) with the SIMATIC Manager, HW Config, NetPro, CFC,
SFC and WinCC
• Loads the automation systems and the OS server from the ES
• Also performs operations on the OS clients
ENG2 PCS 7 Engineer 2
In addition to ENG1, this user is the administrator of the system
OSC1 Local Windows user who is generally permanently logged on OS client "OSC1" (device-specific,
"non-personalized").
Logon to the operating system performed using Windows Autologon.
OSC2 Local Windows user who is generally permanently logged on OS client "OSC2" (device-specific,
"non-personalized").
Logon to the operating system performed using Windows Autologon.
OSC3 Local Windows user who is generally permanently logged on OS client "OSC3" (device-specific,
"non-personalized").
Logon to the operating system performed using Windows Autologon.
OSC4 Local Windows user who is generally permanently logged on OS client "OSC4" (device-specific,
"non-personalized").
Logon to the operating system performed using Windows Autologon.
OSS1A Local Windows user who is generally permanently logged on OS server "OSS1A" (device-
specific, "non-personalized").
Logon to the operating system performed using Windows Autologon.
OSS1B Local Windows user who is generally permanently logged on OS server "OSS1B" (device-
specific, "non-personalized").
Logon to the operating system performed using Windows Autologon.
OSS2 Local Windows user who is generally permanently logged on OS server "OSS2" (device-specific,
"non-personalized").
Logon to the operating system performed using Windows Autologon.
OSS3A Local Windows user who is generally permanently logged on OS server "OSS3A" (device-
specific, "non-personalized").
Logon to the operating system performed using Windows Autologon.
OSS3B Local Windows user who is generally permanently logged on OS server "OSS3B" (device-
specific, "non-personalized").
Logon to the operating system performed using Windows Autologon.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 115
User Administration and Operator Permissions
6.3 Managing computers and users

The following table shows to which different user groups the above users must be assigned:

Computer/ ES1 OSC1 OSC2 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A OSS3B
Local group
Administrators ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2
User ENG1 OSC1 OSC2 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A OSS3B
ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1
SIMATIC HMI ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1 ENG1
ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2 ENG2
OSC1 OSC2 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A OSS3B
OSS1A OSS1A OSS1A OSS1A OSS1B OSS1A OSC1 OSS3B OSS3A
OSS1B OSS1B OSS1B OSS1B OSC1 OSC1 OSC2 OSC1 OSC1
OSS2 OSS2 OSS2 OSS2 OSC2 OSC2 OSC3 OSC2 OSC2
OSS3A OSS3A OSS3A OSS3A OSC3 OSC3 OSC4 OSC3 OSC3
OSS3B OSS3B OSS3B OSS3B OSC4 OSC4 OSC4 OSC4
SIMATIC BATCH1) ENG1 OSC1 OSC1 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A1 OSS3B1
ENG2 ) )

RC_ENGINEERENG1 ENG1 - - - - ENG1 ENG1 ENG1 ENG1 ENG1

2)

RC_MAINTENANCEE ENG2 - - - - ENG2 ENG2 ENG2 ENG2 ENG2

NG12)
RC_OPERATOR_L13) - OSC1 OSC2 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A OSS3B
RC_OPERATOR_L23) - OSC1 OSC2 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A OSS3B
RC_OPERATOR_L33) - OSC1 OSC2 OSC3 OSC4 OSS1A OSS1B OSS2 OSS3A OSS3B
SIMATIC NET ENG1 - - - - OSS1A OSS1B OSS2 OSS3A OSS3B
ENG2 ENG1 ENG1 ENG1 ENG1 ENG1
ENG2 ENG2 ENG2 ENG2 ENG2
Siemens TIA Engineer ENG1 - - - - - - - - -
ENG2
1) Provided that SIMATIC BATCH is required/used in the example configuration.
2) Provided that SIMATIC Route Control is required/used in the example configuration.
3) Assignment of user OSC1 … 4 to RC_OPERATOR_Lx depends on the required permission

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

116 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.3 Managing computers and users

The following figure shows an example of the local management of users and groups on the
server "OSS1A":

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 117
User Administration and Operator Permissions
6.4 Password policies

Additional information
You can find additional information about computer and user management in the document
"SIMATIC Process Control System PCS 7 Security Concept PCS 7 & WinCC (Basic)"
(http://support.automation.siemens.com/WW/view/en/60119725).
You can also find information on this in the manual "SIMATIC Process Control System PCS
7 PC Configuration" (http://support.automation.siemens.com/WW/view/en/90635791).
You can find addition information on user rights for SIMATIC Route Control, especially
regarding the assignment of users to the user groups RC_OPERATOR_L1/L"/L3, in the
programming and operating manual "SIMATIC Process Control System PCS 7 SIMATIC
Route Control" (http://support.automation.siemens.com/WW/view/en/90682959).

6.4 Password policies

Introduction
Source: https://www.bsi.bund.de
Poorly chosen passwords are still one of the most common deficiencies for security. Often,
the user chooses character combinations that are too short or too simple.
To find passwords, for example, hackers use so-called brute-force attacks that automatically
try a variety of possible character combinations or test entire dictionaries. To prevent such
attacks, a password should meet certain quality requirements.
This is why care should be taken in defining and implementing a password policy in the
automation plant. Such a password policy should take the following points into consideration:
● Password aging
Passwords should to be changed at regular intervals (every 6 months at the latest).
● Minimum complexity
A password should have a minimum complexity, which means it should meet the
following requirements:
– Minimum length of 8 characters
– Contain at least 2 alphanumeric characters and at least 1 number, possibly a special
character
● Password history
A new password must differ significantly from the previous (old) password (by at least 3
characters).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

118 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.4 Password policies

Procedure
The following procedure is described using the example of the "Windows 7" operating
system.
To implement the password policies, follow these steps:
1. Open the Windows Start menu and type "secpol.msc" in the search box.
The "secpol.msc" application is displayed in the results.
2. Click on the "secpol.msc" application in the results.
Enter the administrator password, if required. If you are already logged on as an
administrator, confirm the execution of the application.
The "Local Security Policy" dialog opens.
3. Select "Account Policies> Password Policy" in the left navigation pane of the "Local
Security Policy" dialog.
The password rules are displayed.

4. Make the required settings for the following policies:

Policy Purpose
Enforce password history Prevents users from creating a new password that is the same as their current password
or one recently used. The value "1", for example, means that only the last password is
prevented as a new password. The value "5", for example, means that only the last five
passwords are prevented as a new password.
Maximum password age Specifies the maximum lifetime of passwords in days. After this number of days has
expired, the user must change the password.
Minimum password age Specifies after how many days a user can change their password at the earliest.
Minimum password length Specifies the minimum number of characters that make up a password.
Password must meet complexi- Requires that a password meets the following minimum requirements:
ty requirements
• At least 6 characters.
• It must consist of uppercase and lowercase letters, numbers and special characters.
• It may not contain the user name.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 119
User Administration and Operator Permissions
6.5 Domain Controller

6.5 Domain Controller

Introduction
For reasons of availability, it is recommended that a domain controller be configured
redundantly.
Furthermore, a redundant domain controller pair should be implemented in each subnet or in
every security cell.
The example configuration with thus contain the following change:

A redundant pair of domain controllers is implemented in each of the security cells DCS1,
DCS2, MES and perimeter.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

120 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

Preparations
A computer with one of the following operating systems can be used as a domain controller:
● Windows Server 2008 R2 SP1 Standard Edition)
● Windows Server 2012 (Standard Edition)
The use of a PCS 7 computer (for example, the PCS 7 OS server, PCS 7 ES station, etc.)
is not permitted.
The installation/configuration of a computer as a domain controller is divided into the
following steps:
1. Network configuration
Configuration of the host name and network (IP address).
2. Installing/configuration of Active Directory Domain Services
3. Installation/configuration of the DNS server
4. Configuration of user and user groups
When a bundle is used as the hardware, the A1 Image (Restore DVD) of a server bundle
must be used for the operating system installation.

Procedure
The following points must be observed:
● The installation of the domain controller should be performed at the beginning of the
overall setup of PCS 7.
● The installation should be performed with the actual settings (in regard to host name, IP
address, subnet mask, etc.).
● The entire installation and configuration of the domain should be performed before the
first PCS 7 computer is entered in the domain.
● The first computer should only be entered 24 hours after installation and configuration of
the domain, to allow all domain controllers to fully synchronize. The event logs should be
checked prior to entering the first PCS 7 computer in the new domain. If problems are
detected, the errors should be resolved beforehand.

Computer name of the domain controller

To set the host name, proceed as described in the section Name resolution (Page 27).

Static IP address
The domain controllers are given a static (fixed) IP address. Follow the procedure described
in the section Example configuration: Setting of IP addresses and subnet mask (Page 24).
In the dialog in which the IP address and subnet mask are set, the IP address of the
"Preferred DNS
Servers" must be set. Enter the same IP address that you set as a static IP address for the
domain controller.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 121
User Administration and Operator Permissions
6.5 Domain Controller

The following table summarizes the addresses for both domain controllers for the DCS1
security cell:

Domain Controller 1 (DC1) Domain Controller 2 (DC2)

IP address 192.168.2.125 92.168.2.126
Subnet mask 255.255.255.192 255.255.255.192
Standard gateway 192.168.2.65 192.168.2.65
Preferred DNS server 127.0.0.1 127.0.0.1
192.168.2.125 192.168.2.126
192.168.2.126 192.168.2.125
FQDN DC1.production1.enterprise.local DC2.production1.enterprise.local

6.5.1 Installation and configuration of the first domain controller (DC1)

There are different ways to start installation of a server. This procedure described in this
section is recommended.

Note
The procedure described uses Windows Server 2008 R2 the operating system as an
example. You can find information about Windows Server 2012 under
https://technet.microsoft.com/de-de/library/hh831809.aspx (https://technet.microsoft.com/en-
us/library/hh831809.aspx).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

122 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

Installing the "Active Directory Domain Services" role

1. Click "Start > Administrative Tools > Server Manager".
The Server Manager opens.
2. In the navigation window, select "Roles" and click the "Add Roles" button to add a new
role.

The "Add Roles" wizard opens.

3. Click "Next" in the first dialog.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 123
User Administration and Operator Permissions
6.5 Domain Controller

4. In the "Select Server Roles" dialog, select the "Active Directory Domain Services" option
and click "Next".

5. Use the "Next" button to navigate through other settings of the wizard. No special settings
have to be made for PCS 7. The default settings can be used.
6. Click "Install" to install the role.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

124 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

Installing and configuring Active Directory Domain Services

1. Click Start and enter the program name "dcpromo" in the "Search programs and files" text
box. Confirm your entry with the Return key.

The "Active Directory Domain Services Installation Wizard" starts.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 125
User Administration and Operator Permissions
6.5 Domain Controller

2. Select the "Use advanced mode installation" option and click "Next".

The "Choose a Deployment Configuration" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

126 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

3. Select the "Create a new domain in a new forest" option and click "Next".

The "Name the Forest Root Domain" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 127
User Administration and Operator Permissions
6.5 Domain Controller

4. In the "FQDN of the forest root domain:" text box, enter the fully qualified domain name
(FQDN) (for example, production1.enterprise.local.) and click "Next".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

128 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

The entry is checked for plausibility. In some cases, the wizard may suggest a new
domain NetBIOS name. You can use or modify it if necessary. Then click "Next".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 129
User Administration and Operator Permissions
6.5 Domain Controller

5. Select your operating system from the drop-down list in the "Set Forest Functional Level"
dialog.
This makes it possible for stations (computers) with older operating systems to logon to
the domain. You can find additional information on this in the PCS 7 Readme
(http://support.automation.siemens.com/WW/view/en/101094704).

Note
The functional levels can be subsequently adapted or incremented in Active Directory.
You can find information on this at http://support.microsoft.com/kb/322692
(http://support.microsoft.com/kb/322692).

6. Click "Next".
The "Additional Domain Controller Options" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

130 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

7. Select the "DNS server" option to install the DNS server and click "Next".

8. Use the "Next" button to navigate through other settings of the wizard. No special settings
have to be made for PCS 7. The default settings can be used.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 131
User Administration and Operator Permissions
6.5 Domain Controller

9. In the "Directory Services Restore Mode Administrator Password" dialog, set the
password for the administrator (DSRM) when the domain controller is started in Directory
Services Restore Mode.

10.Use the "Next" button to navigate through other settings of the wizard. No special settings
have to be made for PCS 7. The default settings can be used. The installation is then
initiated.
The Domain Name System (DNS) enables the name resolution to work correctly.
See section Name resolution (Page 27) for more on this.
It is therefore important that both the Forward Lookup Zone and the Reverse Lookup Zone
be configured correctly.
The Forward Lookup Zone resolves the host name in an IP address and the Reverse Lookup
Zone resolves an IP address in a host name.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

132 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

Forward Lookup Zone

The Forward Lookup Zone is created during the installation of the DNS server. Ensure the
settings in the Server Manager are correct.
1. Click "Start > Administrative Tools > Server Manager".
2. Open "Roles > DNS Server > DNS >'<Computer_name>' > Forward Lookup Zones" in the
left navigation window.

3. Right-click on the Forward Lookup Zone that you created by entering FQDN when you
installed the DNS server (in this example: production1.enterprise.local) and select the
"Properties" command in the shortcut menu.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 133
User Administration and Operator Permissions
6.5 Domain Controller

4. Select the "Secure only" option under the menu command "Dynamic updates" in the
"General" tab.

The updates that do not conform to the Microsoft standard are classified as non-secure
updates. This can sometimes happen during internal domain updates (for example,
internal software, profile updates, etc.). That is why this option should be selected.
5. Click "OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

134 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

Reverse Lookup Zone

The Reverse Lookup Zone is not created during the installation of the DNS server. To create
it later, proceed as follows:
1. Click "Start > Administrative Tools > Server Manager".
2. Open "Roles > DNS Server > #Host name# > Reverse Lookup Zones" in the left
navigation window.
3. Right-click the Reverse Lookup Zone and select the "New Zone" command from the
shortcut menu.
The "New Zone Wizard" then opens. You can use it to create a new Reverse Lookup
Zone.

4. Click "Next".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 135
User Administration and Operator Permissions
6.5 Domain Controller

5. In the "Zone Type" dialog, select the "Primary zone" option and configure your entry with
"Next".

6. In the "Reverse Lookup Zone Name" dialog, select the "Network ID" option and enter an
appropriate IP address (192.168.2 in this example). Click "Next".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

136 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

7. Select the "Allow both nonsecure and secure dynamic updates" option (see Forward
Lookup Zone) in the "Dynamic Update" dialog and confirm the entry with the "Next"
button.
The new Reverse Lookup Zone is displayed in the Server Manager.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 137
User Administration and Operator Permissions
6.5 Domain Controller

Additional settings and checking the DNS name resolution

The "nslookup" tool (name server look up) is provided to help you verify that the DNS name
resolution is working correctly.
1. Open a command prompt window (cmd) and enter the command "nslookup".

The response to the "nslookup" command indicates that the server is attempting to
resolve the DNS name via the TCP/IPv6 protocol.
2. To change the DNS name resolution to the TCP/IPv4 protocol, open the properties of the
Internet Protocol Version 6 (TCP/IPv6). In this
properties dialog, select the "Obtain DNS server address automatically" option and
confirm your entry with "OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

138 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

3. Go to the command prompt and enter the "nslookup" command again.

When the address (127.0.0.1 = localhost) appears, you can see that the DNS name
resolution is now using the TCP/IPv4 protocol.
When you enter the IP address of the primary domain controller (192.168.2.125), the host
name (svw2k8r2stdba7.production1.enterprise.local) and the IP address
appear.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 139
User Administration and Operator Permissions
6.5 Domain Controller

If you enter the host name, the host name and IP address also appear.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

140 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

6.5.2 Installation and configuration of an additional domain controller (DC2-DCn) in

an existing domain
There are two scenarios for installing an additional domain controller:
● The computer to be installed as an additional domain controller is already a member of
the domain
● The computer to be installed as an additional domain controller is not a member of the
domain
The installation differs only slightly for these two scenarios. The procedure described uses
Windows Server 2008 R2 the operating system
as an example.
1. Open the Server Manager on the secondary domain controller.
2. Click "Start > Administrative Tools > Server Manager".
3. Use the "Add Roles" button and the "Add Roles Wizard" that subsequently starts to add
the "Active Directory Domain Services" role (see "Installation and configuration of the first
domain controller (DC1) (Page 122)").
4. Start the configuration with "dcpromo" (as you did for the primary domain controller).
The Active Directory Domain Services Installation Wizard starts.
5. In the "Choose a Deployment Config" dialog, select the "Add a domain controller to an
existing domain" option and click "Next".
6. Enter the FQDN "production1.enterprise.local" in the text box of the "Network
Credentials" dialog. Since the secondary domain computer is not a member of the
domain in this case, you need to enter the authorization of the administrator of the
primary domain controller in the "Alternate credentials" using the "Set" button.
7. The remainder of the installation of Active Directory Domain Services and DNS server is
similar to the procedure for the primary domain controller (see Installation and
configuration of the first domain controller (DC1) (Page 122)).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 141
User Administration and Operator Permissions
6.5 Domain Controller

6.5.3 WINS installation and configuration

6.5.3.1 WINS installation and configuration

With Windows Internet Name Service (WINS), Windows computers can find other computers
in subnets with the help of NetBIOS. This means the WINS server is used for NetBIOS name
resolution and is the Windows implementation of a NetBIOS Name Server (NBNS).

Installing WINS server

1. Open the Server Manager with "Start > Administrative Tools > Server Manager".
2. In the left pane, click on "Features" and then on "Add Features" under "Features
Summary" in the right pane.

The "Add Features Wizard" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

142 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

3. In the "Select Features" dialog, select the "WINS Server" feature and click "Next".

4. Click "Install" in the subsequent "Confirm Installation Selections" dialog.

The installation of the "WINS Server" feature is started.
5. Press "Close" to close the "Installation Results" dialog.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 143
User Administration and Operator Permissions
6.5 Domain Controller

Entering the WINS server in the properties of the IPv4 configuration

After installation, the WINS server must be entered in the properties of the IPv4 configuration
for all computers in the network.
1. To do so, open the "Properties" dialog of the network connection.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

144 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

2. Select the "Internet Protocol Version 4 (TCP/IPv4)" from the list and click the "Properties"
button.

3. In the Properties dialog, click "Advanced…" to open the advanced TCP/IP settings.
4. In the "Advanced TCP/IP Settings" dialog, select the "WINS" tab.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 145
User Administration and Operator Permissions
6.5 Domain Controller

5. Click "Add...".
6. Add the IP address of the installed WINS server and close the properties dialog with
"OK".

Checking the configuration of the WINS server

1. To check the configuration of the WINS server, open a command prompt window (cmd)
and enter the command "nbtstat –RR":

Name release packages are sent to WINS and the update is started.
2. Open the WINS Management console with "Start > Administrative Tools > WINS".

The WINS Management console opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

146 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

3. In the left pane, right-click "Active Registrations" and select the menu item "Display
Records …" from the shortcut menu.

4. Select the check box "Filter records matching this Name pattern:" .
5. Enter the computer name of the server (the first characters, here "SVW") and click "Find
Now".
The search result is displayed in the WINS Management console.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 147
User Administration and Operator Permissions
6.5 Domain Controller

Entering WINS server in DNS Lookup Zones

The installed WINS server is to be entered in the DNS Lookup Zones. Follow these steps:
1. Open the Server Manager with "Start > Administrative Tools > Server Manager"
2. Open "Roles > DNS Server > DNS > #Computer name# > Forward Lookup Zones" in the
left pane.
3. Right-click the Forward Lookup Zone "production1.enterprise.local" and select
"Properties" from the shortcut menu.

The Properties dialog of the Forward Lookup Zone "production1.enterprise.local" opens.

4. In this dialog, select the WINS tab.
5. Select the check boxes "Use WINS forward lookup" and "Do not replicate this record",
and enter the IP address of the WINS server in the "IP address" box.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

148 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

6. Click "Add" to apply the IP address.

7. Click "OK" to apply the IP address and close the dialog.

6.5.3.2 Multiple WINS servers and WINS replication

A WINS server is to be installed on each domain controller. When installing a second WINS
server, proceed as described in the section "WINS installation and configuration
(Page 142)". You should be careful when planning the WINS replication topology.
Information on general considerations regarding WINS replication is available from Microsoft
at:
● WINS replication overview (https://msdn.microsoft.com/en-
us/library/cc783226(v=ws.10).aspx)
● Configuring WINS replication (https://msdn.microsoft.com/de-
de/library/cc786754(v=ws.10).aspx)

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 149
User Administration and Operator Permissions
6.5 Domain Controller

Configuring WINS replication

To configure a replication partner for the configured WINS server, follows these steps:
1. Open the WINS Management console with "Start > Administrative Tools > WINS"
2. Right-click "Replication Partners" and select "New Replication Partner..." from the
shortcut menu.

The "New Replication Partner" dialog opens.

3. Enter the IP address of the WINS replication partner.

4. Confirm the entry with "OK".

A dialog box may open after the input. Enter the computer name of the WINS replication
partner in this dialog box and confirm the entry with "OK".
The WINS replication partner is then displayed in the WINS Management console.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

150 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

5. Select the added WINS replication partner in the right pane, and select "Properties" from
the shortcut menu.

6. Adapt the properties of the WINS replication partner according to your replication plan.

Note
Keep in mind that you have to make this setting in each of the replication partners.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 151
User Administration and Operator Permissions
6.5 Domain Controller

Entering the WINS servers in the properties of the IPv4 configuration

You also want to add the two WINS servers in the properties of the IPv4 configuration of the
WINS clients.
1. To do so, open the Properties dialog of the network connection of all WINS clients (for
example, the engineering station(s), the PCS 7 OS servers or the PCS 7 OS clients).

2. Select the "Internet Protocol Version 4 (TCP/IPv4)" from the list and click the "Properties"
button.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

152 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

3. In the Properties dialog, click "Advanced…" to open the advanced TCP/IP settings.

4. In the "Advanced TCP/IP Settings" dialog, select the "WINS" tab.

5. Click "Add" to add the IP addresses of the WINS servers, and confirm the entries with
"OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 153
User Administration and Operator Permissions
6.5 Domain Controller

6.5.4 FSMO roles

Introduction
FSMO is an acronym for Flexible Single Master Operations. While you can use any number
of domain controllers which can largely operate redundantly independent of one another,
each forest contains five operations master roles. Although these roles can be assign to
individual domain controllers, each can only exist once as a role.
The forest contains five master roles and the global catalog:
1. Schema master
Works within the forest and monitors or configures the schema of the Active Directory (for
example, user, computer, or resources, as well as the attributes that can be assigned to
individual objects).
2. Domain Naming Master
Works within the forest and monitors and controls the addition or removal of domains in
the forest.
3. RID master
Works within a domain and assigns unique IDs or SIDs to objects within an Active
Directory.
4. Infrastructure master
Works within a domain and manages the object references of its domain and compares
them to other domains. It updates the global catalogs of other domain controllers.
5. PDC emulator
Works within a domain and emulates a domain controller (DC1) to ensure the downlevel
ability (for old Windows versions). It is also the domain master browser and handles
password changes.
6. Global Catalog
The global catalog is a copy of all Active Directory objects from its own and parts of the
Active Directory information from other domains.

NOTICE
Global catalog and infrastructure master
The global catalog cannot be performed with the "Infrastructure master" role on a
domain controller because this service can be disabled and thus cause serious
replication errors (exception: All domain controllers of a given domain contain the global
catalog).
This malfunction is indicated by error messages 1419 in the event log.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

154 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

It is recommended that the five master roles be assigned to the two domain controllers (DC1
and DC2) as follows:

DC1 DC2
Schema master Infrastructure master
Domain Naming Master RID master
PDC emulator
Global catalog

Note
The server role assignment (operations master) can be displayed using the command
"netdom query fsmo".

Schema master role

The "Schmmgmt.dll" file must be registered to transfer the schema master role to another
domain controller. The Active Directory schema master snap-in is then started.
1. To register the "Schmmgmt.dll" file, click "Start" and then click "Run" in the Start menu.
2. Enter the following command in the Run dialog and confirm the entry with "OK":
– Regsvr32 schmmgmt.dll
The Management Console opens.
3. Click "File > Add/Remove Snap-in ..." to open the Active Directory schema snap-in.
The "Add or Remove Snap-ins" dialog opens.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 155
User Administration and Operator Permissions
6.5 Domain Controller

4. Select "Active Directory Schema" snap-in from the left wind and click the "Add>" button.
Confirm the entry with "OK".

The "Active Directory Schema" snap-in is integrated into the Management Console.
5. Right-click on the "Active Directory Schema" item in the Management Console and select
the "Change Active Directory Domain Controller" command from the shortcut menu.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

156 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

6. In the "Change Directory Server" dialog, select the "This Domain Controller or AD LDS
instance" option and the corresponding domain controller from the list. Confirm the entry
with "OK".

7. Right-click on the "Active Directory Schema" item in the Management Console and select
the "Operations Master" command from the shortcut menu.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 157
User Administration and Operator Permissions
6.5 Domain Controller

8. Click on the "Change" button in the "Change Schema Master" dialog. Confirm the transfer
of the role to the other domain controller with "OK".

9. Close the transfer the of the schema master role using the "Close" button.

Domain Naming Master role

To transfer the Domain Naming Master role to another domain controller, follow these steps:
1. Open the Active Directory Domains and Trusts Management Console with "Start >
Administrative Tools > Active Directory Domains and Trusts" .
2. Right-click on the "Active Directory Domains and Trusts" item and select the "Change
Active Directory Domain Controller" command from the shortcut menu.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

158 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

3. In the "Change Directory Server" dialog, select the domain controller to which the role is
to be transferred and click "OK".
4. Right-click on the "Active Directory Domains and Trusts" item in the Management
Console and select the "Operations Master" command.
5. The remaining procedure is similar to the "Schema Master Role".

Note
Server roles can also be transferred using the "NTDSUTIL" command.

Infrastructure master, RID master and PDC emulator

To transfer the infrastructure master, RID master or PDC emulator roles to another domain
controller, follow these steps:
1. Open the Microsoft Management Console.
2. Click "File > Add/Remove Snap-in ..." to open the "Active Directory Users and
Computers" snap-in.
3. Select "Active Directory Users and Computers" snap-in from the dialog that follows and
click the "Add >" button. Confirm the entry with "OK".
4. Right-click on the "Active Directory Users and Computers" item Management Console
and select the "Change Domain Controller" command from the shortcut menu.

5. In the "Change Directory Server" dialog, select the domain controller to which the role is
to be transferred and click "OK".
6. Right-click on the "Active Directory Users and Computers" item Management Console
and select the "All Tasks" command from the shortcut menu and then the "Operations
Master" command.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 159
User Administration and Operator Permissions
6.5 Domain Controller

The "Operations Masters" dialog contains a tab for the infrastructure master, RID master and
PDC emulator roles; here you can switch the domain controller by clicking "Change ...".

Note
Server roles can also be transferred using the "NTDSUTIL" command.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

160 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.5 Domain Controller

Global catalog
1. Open the Microsoft Management Console.
2. Click "File > Add/Remove Snap-in ..." to open the "Active Directory Users and
Computers" snap-in.
3. Select the "Domain Controllers" folder in the tree view. Right-click on the domain
controller in the global catalog and select the "Property" command from the shortcut
menu.

4. Click on the "NTDS Settings" button in the "General" tab of the properties dialog.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 161
User Administration and Operator Permissions
6.5 Domain Controller

5. Select the "Global Catalog" check box and click "OK".

6.5.5 Users and user groups

You need to add users that you have created in the domain controller (domain users) to the
appropriate SIMATIC HMI user groups (SIMATIC HMI, SIMATIC HMI VIEWER, SIMATIC
HMI CS).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

162 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.6 Operator authorizations – Rights management of the operator

6.6 Operator authorizations – Rights management of the operator

The strategy of role-based access control includes restriction to minimally required rights and
functions for users, operators, devices, network and software components.

6.6.1 SIMATIC Logon

Systems automated with process control systems feature the following special/important
requirements concerning access to functions, data and system areas:
● User administration for granting access rights to avoid unauthorized or unwanted
accesses to the system.
● Creating and archiving confirmations about important or critical actions.
SIMATIC Logon allows assigning individual, task-based permissions to SIMATIC
applications and system areas.
SIMATIC Logon supports user management on a local computer and in a Windows domain.
It is recommended to use SIMATIC Logon in the Active Directory in a domain to take
advantage of the centralized group and user management features.
SIMATIC Logon offers a "Default user" function. This is automatically logged on at the start
of the PCS 7 application or when a SIMATIC Logon user is logged off. For this user account,
it is recommended to assign the minimum number of required user rights, for example, for
emergency operation.
The following applications have a connection to the components of SIMATIC Logon:
● Automation License Manager
● WinCC
● SIMATIC Batch
● STEP 7
You can find detailed information about SIMATIC Logon in the manual "SIMATIC Logon
(http://support.automation.siemens.com/WW/view/en/34519648)".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 163
User Administration and Operator Permissions
6.6 Operator authorizations – Rights management of the operator

6.6.2 Access protection for projects/libraries on the engineering station

Introduction
We recommend that you protect your projects and libraries against unwelcome access and
that you log all access actions. This functionality requires that SIMATIC Logon is installed.
The SIMATIC Logon software defines user roles for the engineering system and their
assignment to the defined Windows users/groups.
These access-protected projects and libraries can then only be opened and edited by
Windows users with one of the following user roles:
● Project administrator
● Project editor
● Any user who authenticates himself/herself using the project password
The user with the "Project administrator" role defines the users for the "Project editor" roles
and the project password. He/she is entitled to activate and deactivate access protection.
The project administrator can assign Windows users to one of the two user roles.
The following figure shows the SIMATIC Logon Editor for role management:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

164 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.6 Operator authorizations – Rights management of the operator

Setting access protection

The following settings for access protection must be performed for each project and library in
the SIMATIC Manger. Synchronization is possible across an entire multiproject.

Network address range Description Can be executed with a user role

Enabling access protection • Activates access protection for a particular project or Project administrator
(including defining a project library. This project or library may only be opened and
password) edited by Windows users who are assigned the roles
of project editor or project administrator.
• Specifies the project password. A project password
can be specified for each project/library.
Deactivating Access Protec- Disables access protection for a particular project or li- Project administrator
tion brary again.
Managing users Specifies the project administrators and project editors Project administrator
Synchronizing access pro- Specifies the project administrators and project editors Project administrator
tection in the multiproject globally for all projects and libraries in a multiproject.
Displaying the Change Log Opens the change log Project administrator
Project editor
Removing Access Protec- Removes the access protection and deletes the change Project administrator
tion and Change Log log for a password-protected project or library.

Enabling access protection for projects/libraries

The following requirements must be met:
● SIMATIC Logon is installed.
● The "Project administrator" and "Project editor" roles in SIMATIC Logon are automatically
created during the PCS 7 installation.
● You are assigned the "Project administrator" role in SIMATIC Logon.
● You are logged on as the project administrator or project editor.
The user currently logged on ("Project administrator" or "Project editor") is displayed in the
status bar of the SIMATIC Manager. The project format is changed the first time access
protection is activated. For this reason, you receive a notice that the modified project can no
longer be edited with older PCS 7 versions.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 165
User Administration and Operator Permissions
6.6 Operator authorizations – Rights management of the operator

To enable access protection for projects/libraries and to change the password, follow these
steps:
1. Select the project/library in the SIMATIC Manager.
2. Select the menu command "Options > Access Protection > Enable".
3. Enter the password and confirm it in the "Activate Access Protection" dialog.
4. Click on "OK".
The selected project/library is now protected by a password and can only be opened for
editing by authorized users.
To disable the access protection for projects/libraries, follow these steps:
1. Select the project/library in the SIMATIC Manager.
2. Select the menu command "Options > Access Protection > Disable".
3. Enter the password and confirm it in the "Deactivate Access Protection" dialog.
4. Click "OK".
The selected project or library is no longer protected by a password and can be opened
by any user for editing.

Additional information
You can find additional information on this in the configuration manual "SIMATIC Process
Control System PCS 7 Engineering System
(http://support.automation.siemens.com/WW/view/en/90663380)".

6.6.3 Documenting changes in the change log

Introduction
The change log documents the user, time, CPU, changes made, and the reason for the
changes.

Requirement
The following requirements must be met:
● The SIMATIC Logon Service is installed.
● The access protection is activated.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

166 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.6 Operator authorizations – Rights management of the operator

Procedure
To activate the change log for a folder in the SIMATIC Manager, follow these steps:
1. In the component view of the SIMATIC Manager, select the folder for which you want to
activate the change log.
2. Select the menu command "Options > Change log > Enable".
The change log for the selected folder is enabled.
The following is documented in the change log:
● Enabling/disabling/configuration of access protection and change log
● Opening/closing projects and libraries
● Downloading to the target system (system data)
● Selected operations for downloading and copying blocks
● Activities for changing the operating state
● CPU memory reset

6.6.4 Documenting changes in the ES log

Introduction
The ES log documents the user, time, CPU, changes made, and the reason for the changes.
If you activate the "ES log active" option, the actions for downloading and the current time
stamps are logged in addition to the protected actions in CFC/SFC (objects of the chart
folder).

Requirement
The following requirements must be met:
● The SIMATIC Logon Service is installed.
● The change log is activated.

Procedure
To activate the ES log, follow these steps:
1. In the component view of the SIMATIC Manager, select the chart folder for which you
want to activate the ES log.
2. Select the menu command "Edit > Object Properties".
The "Chart Folder Properties" dialog box opens.
3. Switch to the "Advanced" tab.
4. Select the "ES log active" option.
5. Click "OK".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 167
User Administration and Operator Permissions
6.6 Operator authorizations – Rights management of the operator

The following is documented in the ES log:

● Every action is registered in chronological order in a main line followed by a line giving
the reason and perhaps a log of the action itself (a download, for example). The most
recent action appears in the first line.
● For the "Download entire program" action, the ES log is deleted from the log but archived
as a file with a date identifier at the same time. The archiving action and the file name
used (including the path) are recorded in the log.
● For the action "Start test mode", all subsequent actions resulting in a change (of value) in
the CPU are logged. The logging includes the value and how it changed (address, old
value, new value). Specifically, these are:
– In the CFC
Assignment of parameters to I/Os
Activation/deactivation of forcing and force value changes
Activation/deactivation of runtime groups
– In the SFC
Assignment of parameters to constants in steps
Assignment of parameters to constants in transitions
Assignment of parameters to constants in sequencer properties

6.6.5 Access protection for operator stations

Sufficient protection against unauthorized access to operator stations must be ensured. Two
different use cases play a role here:
● On the one hand, the operator station must be protected against unauthorized access
such as operator interventions or image selection if nobody is logged on to this station.
This means when the operator logs out of the station, either by pulling the smart card or
with manual logout, the station must switch to a state that makes it impossible for
unauthorized persons to use it (screensaver mode). The screen selected at the time is
therefore no longer displayed once an operator has logged off.
● On the other hand, the operator station must be "locked" in such a way that it is
impossible for an unauthorized user to reach the Desktop of the operating system.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

168 Configuration Manual, 03/2016, A5E35032082-AB
 User Administration and Operator Permissions
6.7 Protection level concept

6.7 Protection level concept

Using a protection level can protect the automation device against unauthorized access.
Three different protection levels in the CPU are available for this purpose:

Protection level 1
Depending on the CPU, this protection level can have different names.
For standard CPUs, protection level 1 is called "No protection". A password entry is not
possible. Password protection can be set up with protection level 2 (CPU configuration via
HW Config).
For F-CPUs or H-CPUs, protection level 1 is called "Access protection for F-CPU or Key
switch position". By default, no security program can be loaded. Only after assigning a
password and with the option "CPU contains security program" is it possible to load security
modules in the CPU.

Protection level 2: Write protection

For protection level 2, only read access to the CPU is possible, regardless of the position of
the key switch.

Protection level 3: Write/read protection

For protection level 3, neither read nor write access to the CPU is possible, regardless of the
position of the switch.

Note
Protection against unauthorized access
The use of protection level 3, "Write/read protection", to protect against unauthorized access
to the automation system (CPU) is recommended.

Behavior of a password-protected CPU during operation

Before executing an online function, the reliability is checked and, if necessary, a password
entry is requested.
Example: The module was configured with protection level 2, and you want to execute the
"Control variable" function. Since this constitutes a write access, the configured password
must be entered to execute this function.

Additional information
You can find additional information on the security level concept in the manual "SIMATIC
Process Control System PCS 7 Engineering System"
(http://support.automation.siemens.com/WW/view/en/90663380).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 169
Patch management 7
7.1 Overview
Microsoft removes security gaps in its products and provides these corrections to its
customers via official updates/patches.
To ensure secure and stable operation of SIMATIC PCS 7, the installation of "Security
patches" and "Critical patches" is required.
In principle, these updates can be implemented in two ways:
● Windows updates via WSUS
Windows updates made available for all computers of the automation system from a
separate Windows Server Update Service (WSUS)
● Manual update
Manual installation of the "Security Patches" and "Critical Patches" after download from
the Microsoft sites to all computers of the automation system.
You can find information on the topic of "Patch Management" in the following documents:
● Manual "SIMATIC Process Control System PCS 7 Patch Management and Security
Updates (http://support.automation.siemens.com/WW/view/en/38621083)"
● FAQ "How can you find out which Microsoft Patches are installed on the PC?
(http://support.automation.siemens.com/WW/view/en/48844294)"
● FAQ "Which Microsoft Patches ("Security Patches" and "Critical Patches") have been
tested for compatibility with SIMATIC PCS 7?
(http://support.automation.siemens.com/WW/view/en/18490004)"
You can find information on Microsoft updates and the WSUS on the following Microsoft
pages:
● http://technet.microsoft.com/en-us/
● http://www.microsoft.com/wsus
Support for implementing patch management in your system is available from the Industrial
Security Services. You can find additional information and the corresponding contacts at the
following address:
● Industrial Security Web (http://www.industry.siemens.com/topics/global/en/industrial-
security/Pages/default.aspx)
You can also send your query directly via e-mail to "[email protected]".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 170
 Patch management
7.2 Windows Server Update Service (WSUS)

7.2 Windows Server Update Service (WSUS)

WSUS server
In accordance with the rules for dividing the components into security cells, the WSUS
server must be singled out in a separate network (Perimeter network / DMZ). All solutions
relating to securing access points to the security cells, such as front-end/back-end firewall or
triple-homed firewall, can be used for the patch management or the WSUS server. The
WSUS must be configured in the Perimeter network using the Industrial Wizard for
configuring the access rules for the back-end firewall or the triple-homed firewall.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 171
Patch management
7.2 Windows Server Update Service (WSUS)

Update source
For the WSUS server, either an existing WSUS in a higher-level external network, such as
the plant network or corporate network, or Microsoft Update on the Internet can be
configured for synchronization. The decision not only affects the configuration of the firewall
(frontend firewall or triple-homed firewall), but also the configuration of the WSUS server.
The corresponding update source must be configured in the WSUS configuration:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

172 Configuration Manual, 03/2016, A5E35032082-AB
 Patch management
7.2 Windows Server Update Service (WSUS)

7.2.1 Recommended procedure for patch management using the Microsoft Windows
Server Update Service (WSUS)

Requirement
A WSUS is set up for your PCS 7 plant.

Configuring WSUS
To configure the WSUS, follow these steps:
1. Open the WSUS Administration Console and click "Options".
2. Under "Products and Classifications", select all Microsoft products relevant to the plant in
the "Products" tab.

Note
You can find information about the permitted Microsoft patches in the following FAQ:
Which Microsoft Security Patches ("Security Patches" and "Critical Patches") have been
tested for compatibility with SIMATIC PCS 7?
(http://support.automation.siemens.com/WW/view/en/18490004)

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 173
Patch management
7.2 Windows Server Update Service (WSUS)

3. Select the "Critical Patches" and "Security Patches" under "Products and Classifications"
in the "Classifications" tab.

Note
When using an Industrial Automation Firewall 200/1000 or Microsoft Forefront Threat
Management Gateway (TMG) the "Definition updates" must also be selected under
"Products and Classifications".

4. Create project-specific groups for the distribution of updates in the plant according to the
redundancy concept, and assign the individual computer systems to these computer
groups.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

174 Configuration Manual, 03/2016, A5E35032082-AB
 Patch management
7.2 Windows Server Update Service (WSUS)

For example, the OS servers "OSS1A", "OSS2" and "OSS3A" and the OS clients "OSC1"
and "OSC3" can be assigned to computer group "PCS 7 Group 1" and the OS servers
"OSS1B" and "OSS3B" and the OS client "OSC2" can be assigned to computer group
"PCS 7 Group 2".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 175
Patch management
7.2 Windows Server Update Service (WSUS)

In order to assign the computers directly to the correct computer groups, the following
option must be selected, regardless of whether the administration is performed using
Windows workgroups or domains.

Checking for updates

To check for updates, follow these steps:
1. Download the Excel table to your computer from the following FAQ:
– Which Microsoft Security Patches ("Security Patches" and "Critical Patches") have
been tested for compatibility with SIMATIC PCS 7?
(http://support.automation.siemens.com/WW/view/en/18490004)
2. Open the table and filter the "Test Result" column for "Failed".
3. Check the "Comment" column to see whether these updates have been replaced.

WSUS administration
1. Select all available updates in the "Critical Patches" and "Security Patches" categories
and release them for installation in the created groups.
2. Use an administrative account to log on to the clients connected with the WSUS (the
clients have been configured accordingly to receive the updates from the WSUS).
3. Run the updates offered.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

176 Configuration Manual, 03/2016, A5E35032082-AB
 Patch management
7.2 Windows Server Update Service (WSUS)

7.2.2 Configuration of computer policies

The policies for the Windows Update service are defined via the editor for local group
policies. When using a domain controller, the settings are performed centrally and distributed
accordingly to all computer systems. If the administration is carried out using Windows
workgroups, these settings must be made separately on every computer.
The following figure shows the editor for local group policies:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 177
Patch management
7.2 Windows Server Update Service (WSUS)

The following group policies must be configured:

● "Configure Automatic Updates" policy
The "Configure Automatic Updates" policy must be enabled. In the properties dialog of
the policy, it must be stipulated that updates should be automatically downloaded but not
installed.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

178 Configuration Manual, 03/2016, A5E35032082-AB
 Patch management
7.2 Windows Server Update Service (WSUS)

● Policy "Specify intranet Microsoft update service location" policy

The "Specify intranet Microsoft update service location" policy must be enabled. If a
separate upstream server in a higher-level, external network is used, the IP address or
computer name of this WSUS server must be specified in the properties dialog of this
policy.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 179
Patch management
7.2 Windows Server Update Service (WSUS)

● "Enable client destination assignment" policy

The "Enable client destination assignment" policy must be enabled. The computer group
to which the computer belongs must be specified in the properties dialog of the policy.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

180 Configuration Manual, 03/2016, A5E35032082-AB
 Patch management
7.2 Windows Server Update Service (WSUS)

● "No auto-restart with logged on users for scheduled automatic update installations" policy
This group policy must be enabled.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 181
Patch management
7.2 Windows Server Update Service (WSUS)

7.2.3 Firewall rules

The following firewall rules apply to the access of the WSUS server in the Perimeter network
to computers in the PCN via the back-end firewall or triple-homed firewall:
● Access rules between the WSUS server and a computer in the PCN

Name Action Protocols From To

Perimeter WSUS to Allow HTTP IP address of WSUS IP address of client
PCN ... #1 HTTPS server
PCN … to Perimeter Allow HTTP IP address of client IP address of WSUS
WSUS #1 HTTPS server

The following firewall rules are required for access of the WSUS server in the Perimeter
network to the external network for downloading the security and critical updates via the
front-end firewall or triple-homed firewall:
● Access rules for firewall rule for updating via the Microsoft pages

Name Action Protocols From To

Allow Windows Update Allow HTTP IP address of WSUS Microsoft Update Sites
access to WSUS or HTTPS server *.download.windowsup
External date.com
*.update.microsoft.com
*.windowsupdate.com
*.windowsupdate.micr
osoft.com

● Access rules for updating via a higher-level WSUS server

Name Action Protocols From To

Allow Windows Update Allow HTTP IP address of WSUS IP address of higher-
access to WSUS or HTTPS server level WSUS server
External

Note
You can find the complete range of products for automation firewalls in the PCS 7 Add-on
catalog. You can download this catalog from the SIMATIC PCS 7 website
(https://www.automation.siemens.com/mcms/process-control-systems/en/distributed-control-
system-simatic-pcs-7/Pages/).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

182 Configuration Manual, 03/2016, A5E35032082-AB
 Patch management
7.3 Manual update

7.3 Manual update

For the manual update, the required updates must be downloaded first from the Microsoft
Download Center to any existing computer. Take care to use the correct operating system
version (server operating system, Windows 7).
After the download and, if necessary, transfer of the updates to the target systems, the
updates must be installed separately. Process management (WinCC Runtime) must be
stopped before the installation with an OS server or OS client.
Run the setup and follow the instructions on the screen. A restart may be required after the
installation.

Note
This guideline is valid only as of PCS 7 V6.1 SP1
The procedure described above does not apply to new Microsoft Service Packs, the use of
which is still subject to an explicit release. If the updates require a later version of the
Microsoft software, read the PCS 7 Readme
(http://support.automation.siemens.com/WW/view/en/101094704)or the usecompatibility tool
(http://support.automation.siemens.com/WW/view/en/64847781) to ensure that these later
software versions or service packs have been approved for SIMATIC PCS 7.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 183
Protection against malware using virus scanners 8
8.1 Overview

Introduction
This section focuses on protecting the automation system or the computers of the
automation system against malicious software. Malicious software and malicious programs
(malware) refers to computer programs that were developed to execute undesirable and
possible damaging functions. The following types are differentiated:
● Computer viruses
● Computer worm
● Trojan horse
● Other potentially dangerous programs, for example:
– Backdoor
– Spyware
– Adware
– Scareware
– Grayware
A virus scanner or antivirus program is a software that detects, blocks and, if necessary,
removes malware.
The use of a virus scanner on the computers of an automation plant must not interfere with
the process mode of a plant. The following two examples illustrate the problems that arise in
automation through the use of virus scanners:
● Even when infected with malware, a computer may not be switched off by a virus scanner
if this would lead to a loss of control of the production system (e.g. for an OS server).
● A project file "infected" by malware (e.g. a database archive) may not be automatically
moved to quarantine, blocked or deleted.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 184
 Protection against malware using virus scanners
8.1 Overview

The following virus scanner architecture is recommended for implementing this requirement:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 185
Protection against malware using virus scanners
8.1 Overview

The virus scanner server is a computer which centrally manages virus scan clients, loads
virus signature files (virus patterns) over the Internet from the virus scanner vendor and
distributes them to the virus scanner clients. The virus scanner client is a computer that is
checked for malware and managed by the virus scanner server. This means the PCS 7 OS
server and OS clients as well as batch servers and batch clients are also virus scanner
clients just like engineering stations or even maintenance servers.
In accordance with the rules for dividing the components into security cells, the virus scanner
server must be singled out in a separate network (Perimeter network / DMZ). For the virus
scanner server, all solutions relating to securing access points to the security cells, such as
front-end/back-end firewall or triple-homed firewall, can be used. The virus scanner server
must be configured in the Perimeter network using the Industrial Wizard to configure the rule
set for the back-end firewall or the triple-homed firewall.

Update source
For the virus scanner server, either an existing virus scanner server in a higher-level external
network, such as the plant network or corporate network, or the URL of the virus scanner
server vendor on the Internet can be configured for synchronization. The decision not only
affects the configuration of the firewall (front-end firewall or triple-homed firewall), but also
the configuration of the virus scanner server.

Firewall rules
For the virus scanner server in the Perimeter network to access the virus scanner clients in
the PCN via the back-end firewall or triple-homed firewall, the following firewall rules apply.
● Example of firewall rules between a virus scan server and a virus scan client:

Name Action Protocols From To

Perimeter virus scan Allow HTTP IP address of virus IP address of virus
server to PCN ... #1 HTTPS scan server scan client
McAfee
PCN … to Perimeter Allow HTTP IP address of virus IP address of virus
virus scan server #1 HTTPS scan client scan server
McAfee

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

186 Configuration Manual, 03/2016, A5E35032082-AB
 Protection against malware using virus scanners
8.1 Overview

For the virus scan server in the Perimeter network to access the external network for
downloading the virus signature files via the front-end firewall or triple-homed firewall, the
following firewall rules are required:
● Example of firewall rules for updating the virus signature files via URL from the provider

Name Action Protocols From To

Allow Virus Pattern Allow FTP over IP address of virus PatternUpdateSet
Update access to HTTP scan server ftp://ftp.nai.com
overlapped Pattern HTTPS http://update.nai.com
Update Server or Ex-
ternal

● Example of firewall rule for updating the virus signature files from a higher-level virus
scan server

Name Action Protocols From To

Allow Virus Pattern Allow FTP over IP address of virus PatternUpdateSet
Update access to HTTP scan server ftp://ftp.nai.com
overlapped Pattern HTTPS http://update.nai.com
Update Server or Ex-
ternal

Note
You can find the complete range of products for automation firewalls in the PCS 7 Add-on
catalog. You can download this catalog from the SIMATIC PCS 7 website
(https://www.automation.siemens.com/mcms/process-control-systems/en/simatic-pcs-
7/Pages/simatic-pcs-7.aspx).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 187
Protection against malware using virus scanners
8.1 Overview

Distribution of virus signature files

To distribute the virus signature files from the virus scanner server to the virus scanner
clients, we recommend forming project-specific computer groups (computer groups in patch
management).
The following figure shows an example for forming two computer groups:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

188 Configuration Manual, 03/2016, A5E35032082-AB
 Protection against malware using virus scanners
8.2 Procedure following a virus infection

Additional information
You can find information about the topic "Protection against malware using virus scanners"
in the following documents:
● Manual "SIMATIC Process Control System PCS 7 Managing virus scanners
(http://support.automation.siemens.com/WW/view/en/38625951)"
● FAQ "With what are SIMATIC PCS 7 V8.x, V7.x, V 6.x, V5.x and V4.x compatible?
(http://support.automation.siemens.com/WW/view/en/64847781)"
In the Industry Online Portal, you can also find configuration descriptions for the various virus
scanners:
● McAfee VirusScan Enterprise 8.8 Configuration
(http://support.automation.siemens.com/WW/view/en/66475606)
● Configuration Trend Micro OfficeScan 11.0
(http://support.automation.siemens.com/WW/view/en/103630611)
● Configuration Symantec Endpoint Protection 12.1
(http://support.automation.siemens.com/WW/view/en/71874887)

8.2 Procedure following a virus infection

Introduction
No general procedure can be recommended in the event of a virus infection. If such an
infection occurs, the procedure for removing or cleaning the affected components must be
planned individually.
In principle, a complete re-installation (operating system and application software) of the
infected components is recommended. An existing, up-to-date hard disk image (system
backup) can also be used for this purpose.
Before loading an image, you should first check whether the storage location of the image is
not infected as well. An image of an infected storage location should not be used because it
cannot be excluded that the image has also been manipulated.
The following points affect the cleaning procedure and should be included in the
considerations and planning:
● Status of the plant documentation (including the network topology, addresses, accounts,
etc.)
● Cleaning during ongoing operation or during a shutdown phase
● Continuous or batch process
● Redundancy concept
● Type of malware
● Number of infected computers
● Infection route

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 189
Protection against malware using virus scanners
8.2 Procedure following a virus infection

Procedure

Note
Note that the procedure described here is an example list of possible steps that may be
performed for cleaning a plant. This list does not claim to be complete. Each of the steps
listed must be planned in detail and implemented accordingly.

The procedure after a viral infection may include the following steps:
● Setup/installation/implementation of the required additional infrastructure for the cleaning,
for example:
– A separate quarantine network
– A secure file server with up-to-date virus scanner (perhaps different antivirus
solutions) for distributing data
– Internet access via separate workstation with up-to-date virus scanner (perhaps
different antivirus solutions)
● Listing of all network nodes and their tasks
Backup of all the current data (engineering data, archives, backups, etc.) for each node.
● Import, scan, clean and archive the current data for each network node on the file server
● Planning the required redundancies (when cleaning during ongoing operation)
● Identify standby components; create a memory dump; analyze and examine the memory
dump with the purpose of identifying the malware as well as its spreading mechanism
● Reinstall the component either from the system backup (if available and not harmful with
respect to infection) or via original data medium (operating system recovery CD and
automation components)
● Recommission the cleaned, reinstalled components in the quarantine network as the new
master
● Transfer "clean" data (engineering data, archives, backups, etc.) from the file server to
the cleaned, reinstalled component in the quarantine network
● Verify and adapt the security design of the plant
● Verify and adapt the security design in the "Quarantine" network
● Step-by-step "rebuilding" of the plant in the "Quarantine" network with cleaned, reinstalled
components
● Expand the "Quarantine" network to the new automation network with the adapted
measures of the security concept
● Step-by-step implementation of the measures from the security design in the
"Quarantine" network

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

190 Configuration Manual, 03/2016, A5E35032082-AB
 Protection against malware using virus scanners
8.2 Procedure following a virus infection

Additional information
Support for implementing a virus protection in form of virus scanners in your plant is
available from the Industrial Security Services. You can find additional information and the
corresponding contacts at http://www.industry.siemens.com/topics/global/en/industrial-
security/pages/default.aspx (http://www.industry.siemens.com/topics/global/en/industrial-
security/Pages/default.aspx).
You can also send your query directly via e-mail to "[email protected]".

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 191
Backing up and restoring data 9
If a security incident, such as a malware infection, occurs (see section "Procedure for a virus
infection" (Page 189)) or a storage medium fails (hard disk crash), regular creation of
backups is absolutely necessary in order to purge the automation system and thereby re-
establish the smooth and trouble-free operation as quickly as possible.
Two types of backups are differentiated here:
● Backup of engineering data (project backup)
● Backup of the system
A system backup backs up the system partition. This means that the volume is backed up
with the following data:
– Hardware-specific files (for example "Ntldr", "Boot.ini" and "Ntdetect.com")
– Windows operating system files
– The installation of the operating system
– The installation of all programs

9.1 Backup strategy

The backup strategy must be planned according to the type of defense-in-depth (see section
"Concept of "defense in depth" (Page 13)") organizationally for both the project backup and
for the system backup. The following points must be taken into account in this regard:
● Scope of backups (for project backup and system backup)
● Frequency for creating backups (for project backup and system backup)
● Storage or storage location of backups
● Archiving of the backups

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 192
 Backing up and restoring data
9.1 Backup strategy

9.1.1 Scope of the backups

Project backup
The project backup includes the entire project data. This means all data that belongs to a
SIMATIC PCS 7 project. These data and the PCS 7 project (multi-project including all
individual projects it contains) can be archived using the SIMATIC Manager. Depending on
the default archiving program, this process creates a ZIP archive containing all the
configuration data.

Note
The steps for creating a project backup and the procedure in the SIMATIC Manager is
available in the manual "SIMATIC Process Control System PCS 7 Compendium Part A -
Configuration Guidelines".

System backup
The system backup contains all system data for a specific system component, for example,
an OS server, an OS client or an engineering station. These system data include:
● The operating system, which means all data of the operating system (Windows 7,
Windows Server 2008 R2)
● All installed programs, for example SIMATIC Manager and WinCC
● All required device-specific drivers, for example, for graphics, network
All these data are usually located on the system partition (C: \). A system backup therefore
involves backing up the entire system partition (C: \).

9.1.2 Interval for creating backups

Specifying the backup interval determines when a specific backup must be created. The
interval here depends on the type of backup. A project needs to be backed up more often
(with higher frequency) than a system in practice.

Project backup
The project backup contains the configuration data and for this reason becomes outdated if a
configuration change has been made. The cycle to create a project backup therefore
depends on the frequency of changes and should be set accordingly.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 193
Backing up and restoring data
9.2 Storage location of backups

System backup
The system backup contains the system data of a system component. These data are
generally only very rarely changed during operation. One possible scenario for a change
would be the installation of an additional program or required driver. However, these are
administrative activities that are not generally performed on a daily basis. For this reason,
the frequency for system backup depends on such administrative interventions in a system
component.
Patch management represents a special situation. If, for example, new software (e.g. a
security update or a major update) is installed on a system component, a new system
backup must be created for this system component.

Note
The product "Symantec System Recovery" has been tested for compatibility with SIMATIC
PCS 7.

9.2 Storage location of backups

Project and system backups should be stored in a secure location. The criteria for "secure"
locations must be determined in each case by the operator within the context of the
organizational security (IT Security Management Plan). The following points should be taken
into account in this regard:
● Buildings
● Fire zones or fire areas

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

194 Configuration Manual, 03/2016, A5E35032082-AB
 Backing up and restoring data
9.3 Archiving

9.3 Archiving
Backups, especially project backups should be archived. The requirements for archiving
backups must be determined individually by the operator within the context of the
organizational security (IT Security Management Plan).

Note
You can find information about the topic "Backing up and restoring data" in the following
documents:
• Manual "SIMATIC Process Control System PCS 7; Service Support and Diagnostics"
(http://support.automation.siemens.com/WW/view/en/90682682), section "Data backup"
• Manual "SIMATIC Process Control System PCS 7 Compendium Part D – Operation and
Maintenance" (http://support.automation.siemens.com/WW/view/en/10806846/133300)
• FAQ "How do you create a backup of the OS systems during operation?"
(http://support.automation.siemens.com/WW/view/en/56897157).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 195
Remote access 10
10.1 Secure remote maintenance based on the SIEMENS Remote
Service platform

Introduction
Optimal proactive, system-specific support for the automation system from remote locations:
This is the idea behind the SIEMENS Remote Services (SRS) platform. Thanks to its
modular design, SIMATIC Remote Services can be optimally adapted to actual
requirements. The available modules not only include those for remote infrastructure, but
support and maintenance are possible as well.
Since the SIMATIC Remote Services are based on the SIEMENS Remote Service (SRS)
platform, plant operators work with a safe, high-performance, and fault-tolerant platform for
remote access to their SIMATIC automation systems.

The platform
The SIMATIC Remote Support Services are based on the Siemens Remote Service
platform. This provides a secure, high-performance, and fault-tolerant remote connection.
● Tiered security and access concept
● Collaboration & Customer Web Portal
● Central monitoring, logging and reporting
● E-mail notification
● Transparent access at any time
● Hard authentication
● Encrypted communication using SSL and VPN

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 196
 Remote access
10.1 Secure remote maintenance based on the SIEMENS Remote Service platform

The following figure shows the architecture of the SIEMENS Remote Service platform:

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 197
Remote access
10.2 Creating a remote service concept

10.2 Creating a remote service concept

For secure remote maintenance, you first need to identify the key components for remote
access and make them available. Most security gaps occur due to the lack of a concept and
lack of access because of time and cost pressure, thereby resulting in potential economic
damage.
The following questions should be considered:
● What equipment do I need to provide services?
● Where is this equipment located?
● How can I obtain this equipment?
● What tools (STEP 7, WinCC, SDT, file transfer, etc.) do I need?
The service case should also be taken into consideration to minimize potential problems in
providing the service in advance:
● For example, will the equipment be needed by several people at the same time?
● Is the service activity non-reacting?
● Who issues authorization for the remote connection, who is the proxy?
Once these questions are answered, these points are mapped electronically on the
SIEMENS Remote Service platform and provide functional remote service access based on
a minimalist design. The service providers now have the systems and tools available, which
they need to render the services.
Because the remote service means increased risk for customers as well as for service
providers, this cooperation is maintained and secured in a service contract.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

198 Configuration Manual, 03/2016, A5E35032082-AB
 Remote access
10.3 Connectivity to the SIEMENS Remote Service platform

10.3 Connectivity to the SIEMENS Remote Service platform

The Siemens Remote Service platform provides a central infrastructure. The systems for
remote maintenance only need to be connected. There are various access solutions
available for this.

Connectivity installation (SRS DSL/UMTS access)

The following options are available for the implementation of this solution:
● Internet access via ADSL/SDSL modem
A service router is supplied and is connected directly to the broadband network via an
ADSL/SDSL modem. This connection is used as secure access to the SIEMENS Remote
Service platform. The configuration of the access information for the PPPoE protocol and
termination of the IPsec VPN tunnel connection is made in the SIEMENS service router.
The SIEMENS service router in this case forms the IPsec tunnel endpoint of this
connection.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 199
Remote access
10.3 Connectivity to the SIEMENS Remote Service platform

● Use of existing Internet access

A service router is supplied and is connected to the broadband network via an existing
Internet access point. This connection is used as secure access to the SIEMENS Remote
Service platform. The VPN IPsec tunnel connection is terminated after the Internet
access point of the customer. The SIEMENS service router in this case forms the IPsec
tunnel endpoint of this connection. Secure transmission of data requires forwarding of the
IPSec protected data from the Internet access point of the customer to the SIEMENS
service router (port forwarding to the SIEMENS service router).

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

200 Configuration Manual, 03/2016, A5E35032082-AB
 Remote access
10.3 Connectivity to the SIEMENS Remote Service platform

Connectivity installation (SRS customer own access)

An existing IT infrastructure is used as the connection partner to the SIEMENS Remote
Service platform. The termination of the required VPN IPsec tunnel connection is made in
the IT equipment of the customer. For secure transmission of data, there is a compliant,
standard IPsec endpoint in which a pre-shared secret based IPsec connection can be set up
in tunnel mode.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 201
Remote access
10.3 Connectivity to the SIEMENS Remote Service platform

Connectivity installation (SRS SSL client access)

SSL VPN client software is provided which establishes a connection to the SIEMENS
Remote Service platform via Internet access (port 443) using the existing IT infrastructure.
The VPN IPsec tunnel connection is terminated on the client system after the Internet access
point. The SSL VPN client installed on the target system in this case forms the IPsec tunnel
endpoint of this connection. The connection is established from the SSL VPN client to the
SIEMENS Remote Service platform.

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

202 Configuration Manual, 03/2016, A5E35032082-AB
Definitions and Abbreviations 11
The following table shows the abbreviations used in this document:

Abbreviation/acronym Explanation
AD Active Directory: Directory service of Microsoft Windows Server
CSN Control System Network (plant bus)
DC Domain Controller
DMZ Demilitarized Zone
DNS Domain Name System
DSRM Directory Services Restore Mode
ECN Enterprise Control Network
ERP Enterprise Resource Planning
ES PCS 7 Engineering Station
FMSO Flexible Single Master Operations
IANA Internet Assigned Numbers Authority
MES Manufacturing Execution System
MON Manufacturing Operations Network
MS Microsoft
OS Client PCS 7 Operator Station; client design
OS server PCS 7 Operator Station; server design
PDC Primary Domain Controller
PCN Process Control Network (terminal bus)
PCN1 Production cell 1
PCN2 Production cell 2
PCS 7 Process Control System from SIEMENS AG
PN Perimeter Network
RID Relative ID
SC Security Controller
SCT Security Configuration Tool
SSC SIMATIC Security Control
TMG Microsoft Forefront Threat Management Gateway
WINS Windows Internet Naming Service
WSUS Windows Server Update Services

Frei verwendbar Compendium Part F - Industrial Security (V8.1)

Configuration Manual, 03/2016, A5E35032082-AB 203