WinCCsec White Enu v01

s
Preface Table of Contents
SIMATIC HMI WinCC V6.0 SP4 Process Visualization System WinCC Security Concept
Recommended and mandatory practice
Planning the Security Cells and Access Points Managing the Network Managing Computers and Users User and Access Management in WinCC and Integration Into Windows Management Planning Time Synchronization Implementing Patch Management Secure Network Access to Security Cells Concluding remarks References Meaning of the Symbols Used Glossary
1 2 3 4 5 6 7 8 9 10
Edition 07/2006
A5E00917540-01
Safety instructions
This manual contains instructions that must be followed both for your personal safety and in order to avoid damage to equipment. Instructions regarding your personal safety are identified by a warning triangle; instructions regarding general equipment damage appear without a warning triangle. Warnings and associated instructions appear as follows depending on the level of danger (the most dangerous warning appears first).
! ! !
Danger
Indicates that death or serious injury will occur if the corresponding precautions are not taken.
Warning
Indicates that death or serious injury can occur if the corresponding precautions are not taken.
Caution
With a warning triangle, indicates that minor injury can occur if the corresponding precautions are not taken.
Caution
Without a warning triangle, indicates that equipment damage can occur if the corresponding precautions are not taken.
Notice
Indicates that undesirable events or circumstances can occur if the corresponding instruction is not heeded. In the event of a number of levels of danger prevailing simultaneously, the warning corresponding to the highest level of danger is always used. If a warning with a warning triangle warns of potential injury, a warning regarding equipment damage can be included in the same notice.
Qualified personnel
Reference must be made to this document when setting up the associated device/system. Only qualified personnel may commission and operate a device/system. In the context of the safety instructions in this document, qualified personnel are persons who are authorized to commission, ground and mark devices, systems and circuits in accordance with safety engineering standards.
Intended use
Please note:
!
Trademarks
Warning
The device may only be used for the applications envisaged in the catalog and technical description, and only in association with third-party devices and components recommended and/or approved by Siemens. In order to operate correctly and safely, the product must be transported, stored, set up and installed correctly, and operated and maintained with care.
All product names followed by the symbol are registered trademarks of Siemens AG. Other product names in this document may be trademarks whose use by third parties might violate the rights of their owners.
Exclusion of liability
We have checked the content of this document for consistency with the hardware and software it describes. However, as deviations cannot be totally excluded, we are unable to warrant complete consistency. The information in this document is reviewed at regular intervals and any necessary correction included in subsequent editions.
Siemens AG Automation and Drives Postfach 4848, D-90327 NRNBERG
A5E00917540-01 07/2006
Copyright Siemens AG 2006 Technical data subject to change
Preface
Purpose of this documentation
The "WinCC Security Concept" documentation contains recommended and mandatory procedures for planning and building secure, networked WinCC automation solutions with connected Web clients, SIMATIC IT applications and office networks based on customer specifications. This documentation serves as both a reference and a guide for network administrators working in the following areas: Configuration of WinCC Commissioning and servicing of WinCC Management of company networks
It is intended to facilitate cooperation between network administrators managing company networks and automation networks.
Required knowledge
This documentation is intended for persons involved in the configuration, commissioning and servicing of automation systems using SIMATIC WinCC. It assumes basic knowledge of the common IT technology used in offices. Notice
This documentation cannot replace training of personnel in the fields of network engineering, management of Microsoft Windows desktop and server stations and operation of these stations in Windows domains and in fact assumes some previous knowledge of these skills on the part of the reader.
Validity of the documentation

The "WinCC Security Concept" documentation is valid for plants running WinCC V6.0 SP4.
WinCC Security Concept - Recommended and mandatory practice A5E00917540-01
Preface
IT Security in Your Plant

The aim of this security concept is to provide IT security in a plant. To this end, the plant is divided into separate security cells. Each of these cells can represent a "closed system". A network comprising a number of security cells can also be seen as a "closed system". Several security measures are necessary in this respect. Optimum plant protection can only be achieved by implementing all of these security measures in their entirety. Security Cells Security cells in this document are zones, sections, subsections or units that can only be accessed by authorized personnel. They include: Operator permissions for individual production sections Physical access to production areas and process control facilities Access permissions for the file system of a visualization system station or entire computer and control networks and their power supplies
The following security concept documents should be used as references in this context: BSI IT Baseline Security Manual, Chapter 4 "Infrastructures" FDA 21 CFR 11, "Electronic Records; Electronic Signatures" NAMUR Worksheet NA 67 "Information Security for Process Control Systems (PLS)" NAMUR Worksheet NA 103 "Use of Internet Technology in Process Automation" ISA TR99.00.012004 "Security Technologies for Manufacturing and Control Systems", dated March 11, 2004
This security concept can be used to validate a networked plant as a "closed system" according to FDA 21 CFR 11 Section A Para. 11.3 Number (4): Quote: "A closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system." End of quote.
ii
Preface
System types
The WinCC Security Concept is illustrated in this document on the basis of the following types of system: Single-user system as a visualization system without Web clients
Figure 1 Block diagram of a single-user system
Multi-user system as a visualization system with Web clients
Figure 2 Block diagram of a multi-user system
iii
Preface
Large system as a visualization system with MES and ERP layers
Figure 3 Block diagram of a large system
Note
This SIMATIC WinCC Security Concept has been system-tested and should be implemented in your installation. You must be aware that not all security concepts from the IT world can be implemented 1-to-1 in process automation. IT focuses mainly on global accessibility and maximum security. The most important factor for process automation is functionality.
Notice
Deviations from the recommended WinCC Security Concept can result in security vulnerabilities. Always keep your system up to date so that security vulnerabilities do not occur. This documentation contains the WinCC Security Concept V6.0 SP4. Your Siemens Automation & Drives representative will let you know if the manual has been updated.
iv
Preface
Guide
Topics are listed in the order in which an administrator should perform the configuration of the required components. Background information and context is provided for each task to help the administrator understand the associated security concept and purpose. This documentation consists of the following topics:
Section Planning the Security Cells and Access Points Managing the Network Content Principle: Division into security cells Security Cells and Room Protection Specifying Network Access Points Name Resolution Assigning IP Addresses and Division into Subnets
Managing Computers and Principle: Division of responsibility Users Operating Plants in Windows Workgroups User and Access Management in WinCC and Integration Into Windows Management Planning Time Synchronization Implementing Patch Management Managing Plants Using a Windows Domain (Active Directory) Shared domains - dedicated organizational unit Shared forest - subordinate domains Relationship between Windows user rights and the project-specific management of user rights and operator permissions Integration into Windows management Time Synchronization in a Windows Workgroup Without a Central Plant Clock Time Synchronization in a Windows Workgroup with a Central Plant Clock Time Synchronization in a Windows Active Directory Domain Without a Central Plant Clock (with NTP Time Server) Time Synchronization in a Windows Active Directory Domain With a Central Plant Clock Implementing Patch Management Installing and Configuring the Software Update Service (SUS) Configuring the AU Clients (AU = Automatic Update)
Principle: Assigned logon
Principle: Exact time of day
Principle: Management of software updates and security patches
Secure Network Access to Principle: Closed system in accordance with FDA Security Cells Using Firewalls for Access Points Using Virus Scanners for Access Points Principle: Integration of Remote WinCC PCs Into the Closed System in Accordance with FDA Additional Measures Using and Configuring Authentication and Encryption with IP Security Using and Configuring Authentication and Encryption with Secure Sockets Layer Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access
Log/Audit
Preface
Additional support
If, once you have read the manual, you have any questions about the products described in it, please contact your local Siemens representative. You will find a list of representatives at: http://www.siemens.com/automation/partner You will find a guide to the technical documentation we offer for individual SIMATIC products and systems at: http://www.automation.siemens.com/simatic/portal/html_76/techdoku.htm You will find the online catalog and online ordering system at: http://mall.automation.siemens.com/
Training centers
We offer courses to help get you started with the WinCC visualization system. Please contact your regional training center or the central training center in Nuremberg. Phone: +49 (911) 895-3200. Internet: http://www.sitrain.com
Technical support
Technical support for all A&D products can be accessed as follows: By completing our online support request form: http://www.siemens.de/automation/support-request Phone: Fax: + 49 180 5050 222 + 49 180 5050 223
For additional information about our technical support services, please visit us on the Internet at http://www.siemens.de/automation/service .
Service & Support on the Internet

In addition to the information in our documentation, you can also access our knowledge base online at: http://www.siemens.com/automation/service&support Here you will find: A constantly updated newsletter providing you with the latest information about your products The documents you need (using our Search function under Service & Support) A forum where users and specialists from all over the world can exchange information Your local Automation & Drives representative Click "Services" to access information about local service, repairs, spare parts, and much more
vi
Table of Contents
Preface Table of Contents 1 Planning the Security Cells and Access Points 1.1 1.2 2 2.1 2.2 3 3.1 3.2 3.2.1 3.2.2 4 i vii 1-1
Security Cells and Room Protection ................................................................1-1 Specifying Network Access Points...................................................................1-6 2-1 Name Resolution .............................................................................................2-1 Assigning IP Addresses and Division into Subnets..........................................2-6 3-1 Operating Plants in Windows Workgroups ......................................................3-1 Managing Plants Using a Windows Domain (Active Directory)........................3-4 General Information About Domains................................................................3-4 Embedding Plants in Existing Domains (Active Directory)...............................3-9 4-1
Managing the Network
Managing Computers and Users
User and Access Management in WinCC and Integration Into Windows Management 4.1 4.2
Rights Management in Windows .....................................................................4-1 User management in WinCC ...........................................................................4-8 5-1 Time Synchronization in a Windows Workgroup Without a Central Plant Clock ..........................................................................................5-3 Time Synchronization in a Windows Workgroup with a Central Plant Clock....5-9 Time Synchronization in a Windows Active Directory Domain Without a Central Plant Clock (with NTP Time Server)..................................................5-15 Time Synchronization in a Windows Active Directory Domain With a Central Plant Clock ........................................................................................5-23 6-1 Implementing Patch Management ...................................................................6-3 How to Detect a Security Vulnerability With MBSA..........................................6-4 Assessing Security Vulnerabilities ...................................................................6-8 Obtaining Software Updates and Security Patches .........................................6-9 Testing Security Patches .................................................................................6-9 Deploying Security Patches.............................................................................6-9 Maintaining the Patch Environment .................................................................6-9 Installing and Configuring the Software Update Service (SUS) .....................6-10 Basics of SUS................................................................................................6-10 Installing SUS ................................................................................................6-14 Configuring the SUS Server ..........................................................................6-15
Planning Time Synchronization 5.1 5.2 5.3 5.4
Implementing Patch Management 6.1 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.2 6.2.1 6.2.2 6.2.3
vii
Table of Contents
6.3 7 7.1 7.2 7.2.1 7.2.2 7.2.3 7.3 7.3.1 7.3.2 7.4 7.4.1 7.4.2 7.4.3 7.5 7.5.1 7.5.2 7.5.3 7.5.4 7.5.4.1 7.5.4.2 7.5.4.3 7.5.4.4 7.5.4.5 8 8.1 8.2 9 10
Configuring the AU Clients............................................................................ 6-21 7-1 Mapping Data Traffic 7-1 Using Firewalls for Access Points 7-7 General Information About Firewalls............................................................... 7-7 Using the Microsoft ISA Server as a Firewall .................................................. 7-7 Using Local Firewalls on WinCC PCs ........................................................... 7-11 Using Virus Scanners for Access Points 7-12 Using Local Virus Scanners on WinCC PCs (Distributed Access Points) ..... 7-12 Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant..................................................................... 7-14 Integration of Remote WinCC PCs Into the Closed System in Accordance with FDA ....................................................................................................... 7-15 Using and Configuring Authentication and Encryption with IP Security ........ 7-17 Using and Configuring Authentication and Encryption with Secure Sockets Layer................................................................................... 7-23 Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access ............................................ 7-26 Requesting and Installing Certificates........................................................... 7-53 How to Install a Stand-Alone Root Certification Authority ............................. 7-53 Downloading a Certification Authority Certificate .......................................... 7-56 Requesting a Local Computer Certificate for IPSec...................................... 7-57 Setting Up SSL on a Web Server.................................................................. 7-59 Creating a Certificate Request ...................................................................... 7-59 Submitting a Certificate Request................................................................... 7-61 Issuing a Certificate ...................................................................................... 7-61 Installing the Certificate on the Web Server.................................................. 7-62 Configuring Resources to Request SSL Access ........................................... 7-62 8-1 Residual Risks ................................................................................................ 8-1 Additional Measures ....................................................................................... 8-1 9-1 10-1 1
Secure Network Access to Security Cells
Concluding remarks
References Meaning of the Symbols Used
Glossary
viii
1
1.1
Planning the Security Cells and Access Points

Security Cells and Room Protection
Principle: Division into security cells

The first and most important step in building a modern and secure process automation system is the careful planning of its security cells. To this end, the plant is divided into segments. Segments and security cells Segments are specific zones, sections, subsections, or units. They become security cells when they fulfill the conditions described in the section "IT Security in Your Plant". Several segments can form a security cell. This is where the first basic differences with the usual IT environment become apparent: Whereas conventional IT environments focus on global networking and accessing, emphasis in industrial environments is on ensuring that only authorized persons can access systems via a network. In industrial applications, room protection in a plant is even more important. Even the best firewall or encryption is useless if a saboteur can simply remove the servers hard disk and walk away with it, for example.
This is why individual plants and parts of them need to be segmented and provided with room protection.
1-1
Rules for forming segments and security cells

Each segment must form a self-sufficient "functioning system" that can be operated for a specific period of time without connection to other process cells or units. In other words, a segment must be and remain capable of operating autonomously for a specific period of time. All components immediately belonging to such a segment and involved in its function must be connected directly to one another (i.e., not through leased lines). Plant units that cause high network and computer load when connected from the outside via a complex security mechanism must be integrated directly into the segment. Any access to a security cell, for example, physical access by operators or file access, should take place only once the user's identity has been verified and logged and only under the supervision of authorized persons. Only trusted persons with appropriate training should be given access to a security cell.
What does this ensure?

Observation of the above rules ensures that only persons intending no deliberate threat to a plant are given direct physical access to a security cell within it.
Ramifications for protection mechanisms

Within a security cell, only standard access permissions are required to protect against maloperation by personnel. This means, therefore, that within a security cell, no measures need to be taken for encryption of data traffic. Neither do firewalls need to be used upstream of every device. The network can be operated without encryption, which also simplifies support. If these recommendations for dividing the plant into segments and security cells are not heeded, all other protection measures described here will be rendered ineffective.
1-2
Application to system types

Single-user system In a single-user system, the single station represents a security cell and can also form a closed system. This requires the system to be located in a room with appropriate room protection. In the case of multiple single-user systems, each station represents a security cell and several single-user systems can form a closed system. Multi-user system A multi-user system represents a security cell and can form a closed system at the same time. Another specific feature to be noted at control layer is the recommended separation of terminal bus and plant bus. The terminal bus connects the WinCC PCs on the control layer. The plant bus connects the WinCC servers to the automation systems (AS). Communication between the automation systems takes place via the plant bus.
Separating the two buses avoids loading the plant bus with the communication for the visualization on the WinCC clients. The availability of the plant bus is thereby increased. Figure 1-1 shows the division of the control layer into "terminal bus" and "plant bus" segments using the "production shop" security cell as an example. The PC stations on the control layer are assigned to the terminal bus. The AS stations on the control layer are assigned to the plant bus.
Figure 1-1 Production shop security cell
1-3
Large system In the example configurations illustrated in Figure 1-2 and Figure 1-3, referred to hereinafter as the company "plant.com", there are 3 main buildings with a variety of functions and devices. Each building corresponds to a security cell in this example because: There are persons with similar responsibilities and permissions in each of the segments. Each security cell can fulfill its task in isolation from the others for a certain period of time.
Figure 1-2 Building security cells - layers
1-4
Planning the Security Cells and Access Points One exception in this example is the building controlling access to the entire company site. This building contains a single device that displays special alarms but does not allow any operator inputs.
Figure 1-3 Building security cells - devices
FDA requirements for room protection

An important factor for room protection in the context of FDA certification, especially Part 21 CFR 11, is the definition of a "closed system" and its security requirements. The most important requirements are: Restriction of access to authorized persons Restriction of access to permitted devices Protection of documents and data against change and deletion
Methods for increasing network performance

Methods for increasing network performance are primarily implemented within a single segment. Switched and possibly redundant networks should only be set up within a single segment, for example. Note
In practice, different requirements have emerged for the two networks due to their different characteristics, for example, fault tolerance (redundancy) and the substantially faster response times of the plant bus, especially between individual automation systems. To prevent the two networks interfering with each other, we strongly recommend setting up and operating the terminal bus and the plant bus as physically separate networks.
1-5
1.2
Specifying Network Access Points
Central access points

Many network applications are susceptible to attacks such as denial of service or buffer overruns. You can protect against these attacks by performing regular security updates for these applications and the operating system. Contradicting this is the need to operate the plant for as long as possible without downtime, since security updates often require restarts. These seemingly contradictory requirements for security updates and long operating times can be reconciled by providing the security cells in a plant with reliable central access points that can protect all network components (even those not yet updated) for a specific period of time. However, despite this central protection, security updates MUST be installed following testing, in order to ensure the security of the individual components even if the central access point fails.
Network access point - What does this ensure?

Network access points should: Prevent unauthorized data traffic to sensitive visualization systems Enable authorized data traffic and, therefore, problem-free, normal operation of the visualization system
Defined access points using routers

You must use defined access points to connect the individual segments and subnets. Routers are ideal for this purpose, because on these devices, data communication can be more precisely regulated using the routing and filter rules for data exchange. This provides a simple protection mechanism without impeding network traffic. Suitable routers are selected on the basis of: The required network bandwidth The required availability
The dimensioning of the router must correspond to the actual requirement of the network traffic and any planned expansions of the plant. A router represents a bottleneck for network traffic due to its status as a "stand-alone device". You may need to use modern "GigaBit" technology for the routers. You may need to configure the routers redundantly.
Note
We recommend the temporary use of routers as isolation and connection components for individual security cells, especially when commissioning a plant. This makes it much easier, for example, to test the function of all devices and their communication mechanisms. You will subsequently need to replace these routers with firewalls or install and configure firewall software on any computers being used as routers (see Section 7.2 "Using Firewalls for Access Points").
1-6

Single-user system If a single-user system represents a security cell and is, therefore, in a protected room, the network adapters form the access points. If this is not the case, all interfaces on a single-user system, such as the drives, keyboard, mouse, USB port, etc., form the access points. Multi-user system The router control system forms the access point to a multi-user system (see Figure 1-4 Network access points, router).
Large system The access points are illustrated in Figure 1-4 (Network access points, router): Access point to control layer via router control system Access points to MES layer via MES router or router control system
All devices on the ERP layer are located in a physical subnet on the top layer. This is connected with the next MES layer via the MES router. The MES layer in turn is connected to the control layer via the router control system. In this example, the WinCC servers swap out production data from the control layer to the SIMATIC IT Historian Server or long-term archive server at regular intervals. Although the control layer can work for a certain amount of time without a connection to the MES layer, it must be regularly connected to the archive servers on the MES layer, because its archive capacity is limited. Production data are collected, archived and evaluated on the MES layer and made available to the ERP layer via a Web solution (WinCCWebServer01). An important aspect is that these production data cannot be destroyed and can no longer be changed.
1-7
Figure 1-4 Network access points, router
Note
You do not have to run a SIMATIC IT Historian Server or WinCC long-term archive server on the MES layer. If given conditions do not allow such a layer to be formed, you must do without these additional security zones. However, this is not recommended.
1-8
2
2.1

Name Resolution
Symbolic names
All network nodes must be assigned symbolic names in order to keep the network structure and administration flexible and make it possible to react to changes. These names correspond to the IP addresses of the network nodes. Task-oriented symbolic names, such as WinCCServer01, PresseSrv01, have proved popular. Most applications use these names to find the contacts they are looking for on the network.
Rules for name resolution

If you are using DNS and WINS servers, at least one DNS server and one WINS server must be available in each segment. Of course, they can both be physically located on the same PC. The symbolic names for plant PCs can contain up to 15 characters and must consist of characters and numbers only. Name resolution must be quick, reliable and always available to each and every network node.
Note
As soon as a Windows 2000 or Windows 2003 domain is used to manage the Windows computer (see Section General Information About Domains ), a writable DNS server is an absolute necessity for resolving names in this domain.
Name resolution for each individual segment must also function without connection to the other segments. Fast and reliable name resolution is a requirement for high-level performance in each individual segment.
2-1
Name resolution with DNS server

Names are set by selecting the menu command "Start > Settings > Control Panel ", "System" > "Computer Name" tab > "Change" button.
Figure 2-1 DNS suffix name resolution
DNS suffix Specification of the DNS suffix is important for the PC to be correctly entered on the DNS server. This also applies to the DNS server itself.
2-2
Managing the Network DNS server address The DNS server is set on the plant PC by selecting the menu command "Start > Settings > Control Panel" > "Network Connections" > "Local Area Connection" > "General" tab > "Properties" button. In the "Internet Protocol (TCP/IP) Properties" dialog box, select: "Obtain DNS server address automatically" or "Use the following DNS server addresses:"
2-3
Name resolution with WINS server

Names are set by selecting the menu command "Start > Settings > Control Panel" > "System" > "Computer Name" tab > "Change" button. The "NETBIOS computer name" is generated from the "Computer name" specified here and can be displayed by clicking "More". Both names should be the same to avoid name resolution errors. WINS server address The WINS server is set on the plant PC by selecting the menu command "Start > Settings > Control Panel" > "Network Connections" > "Local Area Connection" > "General" tab > "Properties" button. In the "Internet Protocol (TCP/IP) Properties" dialog box, click "Advanced" and select the "WINS" tab.
2-4

Single-user system Although name resolution is not a necessity for WinCC7 networking, the single-user system must be able to identify itself. However, this does not mean that the single-user system cannot be located on a network with DNS and WINS servers.
Multi-user system,
large system
We also recommend using at least one additional PC as a DNS and WINS server in a workgroup. The DHCP server can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller.
2-5
2.2
Assigning IP Addresses and Division into Subnets
Selecting IP addresses and division into subnets

As stated in "Security Cells and Room Protection", the selected division into segments should also be reflected in the IP address range of the networks by forming individual subnets.
Rules for IP addresses

Selecting the IP address range is the first step in increasing network security: Wherever possible, you should select IP addresses from the internationally reserved private address listings. We recommend addresses in the 192.168.x.x range to provide a simple and clear structure for small and medium-sized systems.

Since IP addresses from private listings cannot be forwarded on the Internet, this provides a first line of defense against direct attacks on a plant PC from the Internet.
Recommended IP addresses
In the 192.168.x.x range, for example, there are: 256 class C networks (subnet 192.168.0.x to subnet 192.168.255.x), each with 254 subscribers (IP address 192.168.x.1 to IP address 192.168.x.254)
Figure 2-2 Layers with IP subnets
The office environment addresses are often already used by the company IT department. Include the IT department in the planning of the plant network at an early stage if a connection to the office network is planned or foreseen as a future development.
2-6
Use of DHCP (Dynamic Host Configuration Protocol)

DHCP offers the possibility of a secure, reliable and simple TCP/IP network configuration. DHCP prevents address conflicts and helps to standardize the use of IP addresses by providing centrally managed address assignments. Note
Never install services for network management, such as DNS, WINS, DHCP, domain controllers, etc., on a WinCC PC.
The following should be noted when using DCHP in a WinCC system: There must be a DHCP server in each segment. It can be located on a computer together with the DNS and WINS servers. We recommend the following settings for the DHCP server on the terminal bus in our example:
Settings Reservations Explanation Make reservations for all plant PCs on the terminal bus. This will ensure that the plant PCs are always assigned the same IP address even when they have been switched off for a long period. Tip: Select a random dummy name such as dummy01 as a reservation name. Subsequently, you can use the FQDN name entered under the reservations to easily tell if the computer with the corresponding MAC address is logged on properly. Once you have made reservations for all plant PCs, you only need to select a very small address pool, for example, 192.168.25.10 to 192.168.25.60. 003 Router 006 DNS Server 015 DNS Domain Name 044 WINS/NBNS Server 046 WINS/NBT Node Type 192.168.25.1 192.168.25.101* production.plant.com 192.168.25.101* 0x8
Address pool Range or server options
* Only applies when a DNS or WINS server is also installed on the domain controller, for example. Otherwise, the IP addresses will need to be adapted. Other options may be useful based on local requirements, for example: 042 NTP Servers 033 Static Route Options 192.168.25.101 192.168.125.0 192.168.25.1
Note that DHCP servers cannot be configured redundantly. This does not mean, however, that the WinCC PC will cease to function following the failure of a DHCP server. Problems only arise if the lease time expires or the PCs are rebooted. Select a lease time long enough to meet your requirements. If DHCP server redundancy is required, you can cluster the server like any other Windows server. Another possibility is to configure an alternative IP address in the case of Windows XP or Windows Server 2003. To avoid duplicate addressing in the event a DHCP server failure, these alternative IP addresses must be maintained parallel to the DHCP entry.
2-7
Allocation and reservation of IP addresses
Note
Be sure to reserve the following addresses: IP address x.x.x.0 as network address IP address x.x.x.1 as router IP address x.x.x.255 as broadcast address
An example allocation might be:
Figure 2-3 Layers with IP address allocation
2-8
Managing the Network The plant configuration and the IP address assignments for our example plant might appear as follows:
Figure 2-4 General overview with IP address
Figure 2-4 contains devices and configurations that will be explained in detail in later sections. Although a simpler diagram might be preferable here, this figure better illustrates the subnet division and IP address assignments.
2-9

Single-user system The IP address configuration can be set statically on each PC. However, this does not mean that the single-user system cannot be located on a network with DHCP servers. Make sure that you do not duplicate addresses.
Multi-user system,
large system
We recommend that you use an additional PC as the DHCP server. The DNS and WINS servers can also be located on this PC. In a domain, the DHCP, DNS and WINS servers can also be installed on a domain controller.
2-10
Principle: Division of responsibility

Various Windows users are assigned certain rights required to perform specific tasks for managing computers and users. Objective Carefully dividing the spheres of responsibility between the IT department and operating personnel ensures that an IT department administrator cannot inadvertently reboot a WinCC PC and that an operating personnel administrator cannot inadvertently make changes to domain settings.
3.1
Operating Plants in Windows Workgroups
Distributed management of computers and users

Operating a plant without centralized Windows management is generally useful and efficient when; The plant has no more than approximately 10 computers The plant does not undergo changes on a regular basis (e.g., adding of new users, changing of computers, introduction of new security policies, changing of passwords, etc.) The operation of a Windows domain infrastructure cannot be safeguarded by appropriately trained personnel The uniformity of network settings, computer configurations, security policies, users, and passwords can be safeguarded by meticulous, centralized plant documentation
Rules for distributed management

Please note the following in particular: If a password associated with a user changes, it must always be changed on all affected computers. User accounts that are no longer needed must be removed from all computers. All computers in the plant must be configured with the same security policies (for example, use of the LanManager V2 protocol, signing of SMB communication, passport complexity, and password age). A central record of assigned computer names and IP addresses must be created and kept up to date. When local LMHost and Host files are used to support name resolution, all files must always be updated at the same time.
Practical experience has shown that configuring just one computer incorrectly can pose a huge risk to an entire plant. Locating the error in such cases is often tedious and complicated.
3-1
Example configuration Distributed management

Figure 3-1 illustrates the configuration of each individual computer in a plant operating in the Production (A) workgroup:
Figure 3-1 User management in a workgroup
All computers in the Production (A) workgroup must be set up with the same security policy (B), the correct network adapter configuration (C), and a consistent group and user configuration (D); moreover, they must always be updated at the same time. It is easy to see that as the number of users and computers increases, so does the time and effort required for management.
3-2

Single-user system The use of a workgroup is suitable for one or more single-user systems, because the amount of administration work required for a domain is not justified. Nevertheless, it can be useful to operate an additional PC with DNS, WINS and DHCP functionality. Multi-user system In a multi-user system, the use of a workgroup is only practical when the above criteria can be met. Otherwise, we recommend the use of a domain as described in Section 3.2 "Managing Plants Using a Windows Domain (Active Directory)". In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended.
Large system Although use in a workgroup is possible, it is not recommended, due to the applicability of the criteria in the following Section 3.2 "Managing Plants Using a Windows Domain (ActiveDirectory)". In any case, centralized management using an additional PC with DNS, WINS and DHCP functionality is recommended.
3-3
3.2
3.2.1
Managing Plants Using a Windows Domain (Active Directory)

General Information About Domains
Centralized management of computers and users

Setting up a plant with centralized Windows management is generally useful and efficient when: The plant contains 10 or more computers The plant undergoes changes on a regular basis (e.g., adding of new users, changing of computers, introduction of new security policies, changing of passwords, etc.) Data relating to system events and system properties need to be stored in a central location Centralized configuration of the individual computers is required
Additional criteria for centralized management

Centralized management (Active Directory) should be configured for the computers and users in a plant if: The company has its own security policy that requires an Active Directory domain The requirements of legal standards and guidelines or regulations need to be met (e.g., when the use of Kerberos as an authentication procedure or centralized logging of logon events, etc., is required) Centralized fault-tolerant user management and logon is required Centralized fault-tolerant IP address assignment (DHCP) and centralized management of name resolution and registration for computers (DNS/WINS) is required An Active-Directory-based certificate server is required, e.g., for secure Web services with encrypted communication via SecureSocketLayer (SSL), signatures for applications and documents, authentication, certificate-based IP security communication, and tunnel protocols such as the LayerTwoTunnelingProtocol (L2TP) The total number of computers, accounts and persons to be managed is very large
3-4
Management by operating personnel
Note
When a separate Windows domain is set up for the plant, it must be possible for this domain to be managed by operating personnel. This responsibility cannot be transferred to persons outside the production plant, because such persons are not in a position to judge whether or not a given configuration change will have a negative effect on the production process. This may require additional training of the operating personnel.
Note
Only authorized persons may be permitted to configure a plant PC. Administrative user accounts may only be used for responsibilities within WinCC.
Active Directory in WinCC systems

Active Directory means that the production plant can be configured almost totally independently of the requirements of the IT department. The production plant is protected against unintentional intervention from the IT department. Data communication across domains can be configured using one-sided or transitive trust settings between the domains. Data communication across domains can also be performed at a later time by merging the individual domains into a forest, provided the domains share a common namespace but were created separately.
3-5
Configuration of centralized Windows management with "plant.com" as an example

A domain configured for the example "plant.com" might appear as follows:
Rule The domains must be configured as fail-safe. Implementation in the example plant This means that at least two domain controllers must be set up with intelligent load distribution for their tasks (involving logon tasks and what are known as operation master roles).
The domains must always be available At least one of the two domain controllers must be located directly on with high-performance. the plant network. This ensures that a domain logon and Group Policy update can always be performed, even if the connection to the other networks fails. The individual objects must be managed grouped in organizational units. The use of additional subdomains should be avoided. Responsibility for the domains and the WinCC PCs must be separate. This reduces the risk of an individual object being configured incorrectly. This does away with the need of having to use at least two additional domain controllers for each subdomain and reduces the time and effort involved in administration. In the "Plant.com" example, the "Production" organizational unit containing all user and computer objects relevant for production has been created for this purpose. Responsibility for this is transferred to an administrative account, which only manages the domain properties of this organizational unit and not those of the entire domain (for example, the Chief Operator (B), a foreman of "Plant.com").
The management and initial Inherent errors, which may only become apparent much later and configuration of the domain by the require a complete reconfiguration of the domain, can be avoided. domain administrator must be performed by qualified operating personnel or a designated employee of the "Plant.com" IT department. The accounts of the domain administrators may only be used for actual administrative duties. This prevents misconfiguration or a local virus affecting the entire domain. These accounts do not normally need to be used subsequently in day-to-day activities.
3-6
Managing Computers and Users Figure 3-2 shows how management can be simplified on the basis of centrally configured safety policies, network configuration and user management. The management of the plant PCs (for example, network configuration, name resolution and IP address assignment) is centralized by the "Production.Plant.com" (A) domain. Responsibility for this infrastructure server (C) is given to the "Domain-Admin". 1. An organizational unit, "OU-Production", is created to manage the plant in the example. This is where all general properties are defined and the "WinCC-Servers", "WinCC-Clients" and "Web-Servers" groups, as well as the "Server-Desktop-User-Dom", "Client-Desktop-User-Dom" and "WebServer-Desktop-User-Dom" (E) domain user accounts, which will subsequently be used as accounts for the runtime operation of the plant, are managed. 2. The real administrative account "Chief-Operator" in the "Operator-Group" manages the subordinate organizational unit "Production-PC". This operator is responsible for the properties that should only be assigned to WinCC PCs (for example, software to be installed, settings for time synchronization, memberships of local groups (D), rights, settings for managing software updates, etc.).
Note
The permissions that should be given to global groups and domain user accounts on the WinCC PCs are described in detail in Section 4 "User and Access Management in WinCC and Integration Into Windows Management" and are simply indicated in Figure 3-2 as orange-colored lines.
3-7
Figure 3-2 User management with Active Directory
3-8
3.2.2
Embedding Plants in Existing Domains (Active Directory)
Shared domains - Dedicated organizational unit

If a company already has an Active Directory domain, you can form a dedicated organizational unit for managing the plant. The main advantage is that operating personnel do not have to manage a domain. An additional domain controller is installed with support from the company's IT department. The plant personnel receive no administrative permissions to modify the domain, however. This requires extensive communication between the plant personnel and the company IT department. The latter must delegate part of its responsibility to the plant personnel and transfer the management of the production organizational unit to them. The plant personnel must ensure that they carry out this responsibility with the utmost care. If planned by specialists and implemented by the IT department and plant personnel working in partnership, this scenario is the optimum solution in terms of efficiency, flexibility and reliability. Note
Only authorized members of the IT department may be permitted to configure a plant PC. Equally, plant personnel must not endanger the operation of the office network.
3-9
Example configuration Dedicated organizational unit

Figure 3-3 shows the management of the OU-Production (A) organizational unit as a subordinate, independent organizational unit in the Active Directory domain Plant.com. The organizational unit (A) is managed by the production administrator (B). This person can be provided by the IT department and is trusted with all matters concerning the production department. The plant operator and Chief-Operator (C) manage the domain user account (D) global groups and the production PCs.
Figure 3-3 User management Active Directory with dedicated OU
3-10
Shared forest - subordinate domains

If a company already has an Active Directory forest, you can form a subordinate domain for managing the plant. This makes it substantially easier to subsequently administer services and accesses across domains throughout the company. However, this makes it necessary to create and manage a dedicated (sub)domain for the plant as when managing plants using a Windows domain (Active Directory). The only difference is the use of a shared domain root.
Figure 3-4 Subordinate domain
Notice
Only precise delineation of the spheres of responsibility through delegation of responsibilities and rights to operating personnel can ensure that no undesirable configuration changes are made to plant PCs by the IT department.
3-11
Example configuration Subdomains

Figure 3-5 shows an independent domain/subdomain (A) for managing the production plant. The administration of the domain and responsibility for the domain controllers are transferred in full to the operating personnel.
Figure 3-5 User management with independent domain
3-12
User and Access Management in WinCC and Integration Into Windows Management
Principle: Assigned logon

Assigning a logon for each task on WinCC PCs achieves the following: 1. When logging onto Windows, each user is assigned exactly the rights required to perform the task to be completed. For example, in order to work on the WinCC project, the user must be a member of the local groups "Power User" and "SIMATIC HMI". 2. When logging on during runtime, the operator is assigned exactly the rights required to operate the plant as defined in the "User Administrator" editor. This completely separates computer access permissions, e.g., Windows users, from plant operator authorizations (plant operators). This is supported by the SIMATIC permissions model, although this requires that user authorizations are administered by the user in separate configuration dialog boxes.
4.1
Rights Management in Windows
Microsoft Windows permissions model

The ALP strategy (Add User Account to Local Group and assign Permission) recommended by Microsoft is used within a workgroup; this means you add local users with the same function to a local group and then assign the required permissions to that group. The AGLP strategy (Add Domain User Account to Global Group, add global Group to Local Group and assign Permission) is used in a domain; this means you add domain users with the same function to a global group, add this to a local group and then assign the required permissions to the group.
4-1
Application with the SIMATIC permissions model

In WinCC, the SIMATIC permissions model provides support in respect of the assignment of permissions. The following SIMATIC user groups are created as local groups during installation: SIMATIC HMI SIMATIC HMI CS SIMATIC HMI VIEWER
The corresponding share permissions and security settings are managed automatically by the WinCC software. The user simply needs to make the local users and global groups members of these SIMATIC user groups. Note
In addition, all Windows users who are to work on WinCC PCs with SIMATIC components need to be added to the power users local group.
SIMATIC WinCC
WinCC uses the SIMATIC HMI, SIMATIC HMI CS and SIMATIC HMI VIEWER user groups for project sharing and project file access. The first time a project is opened, project sharing is automatically set and configured with the required sharing permissions and security settings. Project share permissions and file access are managed automatically by the WinCC software. Figure 4-1 up to Figure 4-2 illustrates the necessary group memberships in detail.

Only a member of the local "Administrators" (Windows) group can install software, change the configuration of a station or project or assign these rights to other users. Normal operation of a plant is performed under an account belonging to a Windows user who, at most, has the rights of a member of the local "Power User" (Windows) group. Such users are referred to in the following as "ClientDesktopUser" and "ServerDesktopUser". This prevents a plant operator intervening in the management of a station or network. Access to the Windows interface must be completely blocked during runtime operation. In order for WinCC to continue to operate and guarantee permanent access to the plant, no "logoff" of the Windows desktop can be performed. Even if a Web server service (IIS) on a Web navigator server is disrupted by a virus or hacker attack, it cannot write to the configuration data because the Web server service account is only a member of the "SIMATIC HMI VIEWER" group and, therefore, only has read access to the project. Neither can another user access this project, even remotely, unless his user account has been declared on the station and he is a member of the "SIMATIC HMI" group. An additional differentiation is planned for runtime and configuration.
4-2
Rules
Use the Microsoft-recommended ALP strategy (Add User Account to Local Group and assign Permission) and AGLP strategy (Add Domain User Account to Global group, add global group to Local Group and assign Permission). The plant operator logs onto the WinCC operator station and is assigned the operator authorizations configured in the "User Administrator" editor and for graphical function objects. As well as being local power users, the project engineer and operator of a project must also be members of the "SIMATIC HMI" group. In order to be able to access the project remotely, the "ClientDesktopUser" account for each WinCC client must be a member of the "SIMATIC HMI" group on the server.
Explanation of the following illustrations
User/User group Server-Desktop-User
Description Local Windows user on a WinCC server where process mode (Runtime) runs in a workgroup A member of the following groups on each WinCC server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Not a member of a local group on a WinCC client or Web server Local Windows user on a WinCC client where process mode (Runtime) runs in a workgroup A member of the following groups on a WinCC client: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Must also be configured on the WinCC server and be a member of the SIMATIC HMI and SIMATIC HMI VIEWER groups on the WinCC server Local Windows user on a Web server where process mode (Runtime) runs in a workgroup A member of the following groups on each Web server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Must also be configured on the WinCC server and be a member of the SIMATIC HMI and SIMATIC HMI VIEWER groups on the WinCC server A WinCC client is always installed on a Web server in WinCC systems Local Windows user on a WinCC configuration system where configuration is performed in a workgroup A member of the Power User, SIMATIC HMI and SIMATIC HMI CS groups on a WinCC configuration system When project configuration changes are to be made on a WinCC server or WinCC client, they should always be made by this user. This is why the WinCC project engineer should also be configured on a WinCC server and WinCC client and be a member of the following groups on the WinCC server and WinCC client: Power User, SIMATIC HMI and SIMATIC HMI CS A global domain group that contains all domain users and where process mode (Runtime) runs on a WinCC server in a domain A member of the following local groups on each WinCC server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER Not a member of a local group on a WinCC client or Web server
Client-Desktop-User
Web Server-Desktop User
Configurator/Project engineer
WinCC-Server
4-3
User/User group WinCC-Client Description Web Server A global domain group that contains all domain users and where process mode (Runtime) runs on a WinCC client in a domain A member of the following local groups on each WinCC server: SIMATIC HMI and SIMATIC HMI VIEWER A member of the following local groups on each WinCC client: Power User and SIMATIC HMI A global domain group that contains all domain users and where process mode (Runtime) runs on a Web server in a domain A member of the following local groups on each WinCC server: SIMATIC HMI VIEWER A member of the following local groups on each Web server: Power User, SIMATIC HMI and SIMATIC HMI VIEWER
4-4
Example configuration Local user management of a WinCC server
Figure 4-1 Local user management of a WinCC server
4-5
Example configuration Local user management of a WinCC client
Figure 4-2 Local user management of a WinCC client
4-6
Example configuration Local user management of a Web navigator server
Figure 4-3 Local user management of a Web navigator server
4-7
4.2
User management in WinCC
User Administrator
The actual user management for operating the plant is performed in the UserAdministrator editor. The editor is divided into two components Configuration and Runtime for assigning and managing permissions: Users and permissions are managed in the "UserAdministrator Configuration System": It is here that new users are entered, passwords are assigned, permissions are managed in a table and the link to SIMATIC logon is administered. The main task of the "User Administrator Runtime System" is to monitor system logons and access rights.
SIMATIC Logon Service

If you intend to use the SIMATIC Logon Service for support in managing rights, users and their group memberships will be stored in the Windows User Management (local, logon server for SIMATIC Logon or domain). Note
Remember that Users have absolutely no rights in the Windows environment; in other words, they are not members of any Windows groups. Their permissions are configured by assigning user rights to groups in the "User Administrator" editor.
4-8
Planning Time Synchronization
Principle: Exact time of day

Regardless of the source chosen for synchronizing the time of day in a plant, in the final analysis, time errors can only be minimized by ensuring that all subscribers use the same source.
Time synchronization sources

Time synchronization in a plant running WinCC is of utmost importance for synchronizing, tracing, documenting and archiving all time-critical processes. The following methods are generally used for time synchronization: A stand-alone time server ((S)NTP server) with connected clock and time stamp receiver module Direct integration of a clock and time stamp receiver module at the location to be synchronized (WinCC server/domain controller) A combination of both methods
A central plant clock is recommended for plants running WinCC as it allows both methods to be used. SICLOCK TM GPS Package 24V with order number 2XV9450-1AR24 SICLOCK TM GPS Package 230V with order number 2XV9450-1AR25
Both packages contain the SICLOCK TM central plant clock and the SICLOCK GPSDEC radio clock. Other time synchronization products can also be used depending on application requirements. Additional information: For additional information about time synchronization concepts for industrial plants, please visit us on the Internet at: German: http://siemens-edm.de/siclock.0.html English: http://siemens-edm.de/siclock.0.html?id=109&L=2
5-1
Criteria for planning time synchronization

The configuration of time synchronization requires careful planning. Errors are difficult to analyze and can have dangerous consequences. The configuration is based on the following factors: Time master types, e.g., Siemens SICLOCK TM/TS central plant clock on the plant bus, server with directly integrated receiver module, Internet time server, company time server Synchronization methods, e.g., SICLOCK with broadcast time signal via the "Layer 2 GMT" protocol (SIMATIC procedure), SICLOCK with a serial link to a server (DCF 77 emulation), WinCC time synchronization with Windows direct access, Windows time service with SNTP and NTP protocol, DCF 77 reception service with DCF 77 signal processing Physical network configuration, for example, not all media support all synchronization methods Logical network configuration, for example, broadcast messages cannot be forwarded beyond subnet boundaries Windows Active Directory
Recommended configurations
We basically recommend 4 different configurations: Windows workgroup without a central plant clock Windows workgroup with a central plant clock Windows ActiveDirectory without a central plant clock (with NTP time server) Windows ActiveDirectory with a central plant clock
Operation in a Windows workgroup is designed for small plants that do not need to be operated synchronized to the company network or other networks. However, if a plant is to be operated in a Windows domain (Windows Active Directory), no competing time synchronization mechanisms may influence the plant PC. Whereas an incorrect time only causes problems in the interpretation of causal relationships for most applications, imprecise time here can lead to logon denials being issued to domain clients attempting to log onto their domain controller. The reason for this is a security feature of the domain controller in Windows 2000 and higher, which is intended to prevent hijacking of an established session. The standard authentication protocol, Kerberos V5, uses the time of a workstation as part of the generation process for authentication tickets. If the configured time tolerance (default 5 min.) between client and server is exceeded, it is assumed that an attacker has decrypted the logon and hijacked the session. This is prevented by invalidating the session and rejecting the client's attempt to log onto its domain.
5-2
5.1
Time Synchronization in a Windows Workgroup Without a Central Plant Clock
Example configuration Windows workgroup without a central plant clock
Figure 5-1 Windows workgroup without a central plant clock
5-3
Configuring time synchronization of the plant bus

A PLC, such as the SIMATIC S7-400, is defined as the master clock on the plant bus and synchronizes the plant bus cyclically using a broadcast time signal. All other PLCs are configured as slave clocks. The interface modules of the WinCC servers, e.g., CP , are set to transmit and receive these time-of-day frames. Set the interface modules for the plant bus by selecting the menu command "Start > SIMATIC > SIMATIC NET > Configuration Console".
Figure 5-2 Activate time-of-day adjustment on the CP 1613
5-4
Planning Time Synchronization If the above box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
Figure 5-3 Changing the operating mode of the CP 1613 to PG mode
5-5
Planning Time Synchronization "Time-of day adjustment" can then be activated. You must then reset the mode to "Configured mode".
Figure 5-4 Changing the operating mode of the CP 1613 to Configured mode
The WinCC servers function as what are known as cooperative masters. Only when a CP1613 on the plant bus is not receiving a broadcast time signal (from an AS as master clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the plant bus as a substitute for the master clock, which has probably failed. This is described in more detail in the following section.
Configuring time synchronization of the terminal bus

During runtime of a WinCC project, WinCC "Time Synchronization" takes the broadcast time signal received by the CP 1613 via the plant bus and uses it to set the Windows system time for the WinCC servers WinCCServer01 and WinCCServer02. Although the WinCC servers are configured in the following dialog box as Master clocks, they function as so-called cooperative masters; in other words, only when a CP 1613 on the plant bus is not receiving a broadcast time signal (from an AS as the master clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals on the plant bus as a substitute for the master clock, which has probably failed. However, if the CP 1613 receives a broadcast time signal on the plant bus, its own "Master" clock mode will automatically switch to Slave" clock mode.
5-6
Planning Time Synchronization Time synchronization is set via "Time Synchronization" in WinCC Explorer.
Figure 5-5 WinCC time synchronisation in the server
5-7
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as time "Slaves" on the connected WinCC server using WinCC time synchronization in their own projects. They are synchronized with the clock of the respective WinCC server via the "terminal bus" during runtime of their projects.
Figure 5-6 WinCC time synchronization in the client project
5-8
5.2
Time Synchronization in a Windows Workgroup with a Central Plant Clock
Example configuration Windows workgroup with a central plant clock
Figure 5-7 Windows workgroup with a central plant clock
5-9

The SICLOCK TM/TS connected to the plant bus as the central plant clock transmits a highly accurate broadcast time signal on the plant bus. It synchronizes its own time of day with a connected DCF77 radio module or GPS receiver module. All ASs are configured as slave clocks. The interface modules of the WinCC servers, e.g., CP 1613, are set to transmit and receive these time-of-day frames.
If the above box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
5-10
Planning Time Synchronization Set the interface modules for the plant bus by selecting the menu command "Start > SIMATIC > SIMATIC NET > Configuration Console".
"Time-of day adjustment" can then be activated. However, you must then reset the mode to "Configured mode".
5-11
Planning Time Synchronization The WinCC servers function as what are known as cooperative masters. Only when a CP1613 on the plant bus is not receiving a broadcast time signal (from the central plant clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the plant bus as a substitute for the central plant clock, which has probably failed. This is described in more detail in the following section.

During runtime of a WinCC project, WinCC "Time Synchronization" takes the broadcast time signal received by the CP 1613 via the plant bus and uses it to set the Windows system time for the WinCC servers WinCCServer01 and WinCCServer02. Although the WinCC servers are configured in the following dialog box as Master clocks, they function as so-called cooperative masters; in other words, only when a CP 1613 on the plant bus is not receiving a broadcast time signal (from the central plant clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals on the plant bus as a substitute for the central plant clock, which has probably failed. However, if the CP 1613 receives a broadcast time signal on the plant bus, its own "Master" clock mode will automatically switch to Slave" clock mode.
5-12
Figure 5-11 WinCC time synchronization in the server project
5-13
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as time "Slaves" on the connected WinCC server using WinCC time synchronization in their own projects and are synchronized with the clock of the respective WinCC server via the "terminal bus" during runtime of their projects.
Figure 5-12 WinCC time synchronization in the client project
5-14
5.3
Time Synchronization in a Windows Active Directory Domain Without a Central Plant Clock (with NTP Time Server)
Example configuration - Windows domain without a central plant clock but with NTP time server
Figure 5-13 Windows domain without a central plant clock but with NTP time server
5-15

All ASs are configured as slave clocks. The interface modules of the WinCC servers, e.g., CP 1613, are set to transmit and receive these time-of-day frames. Set the interface modules for the plant bus by selecting the menu command "Start > SIMATIC > SIMATIC NET > Configuration Console".
5-16
Planning Time Synchronization If the box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
"Time-of day adjustment" can then be activated. You must then reset the mode to "Configured mode".
5-17
Planning Time Synchronization The WinCC servers function as what are known as "cooperative masters". The first WinCC server activated on the plant bus and not receiving a broadcast time signal automatically switches to "Master" clock mode. All other WinCC servers activated subsequently then detect a broadcast time signal on the plant bus and automatically switch to "Slave" clock mode. This is described in more detail in the following section. Note
Time synchronization of the AS is only performed when at least one WinCC server is activated.

The NTP "TimeServer" with a DCF 77 radio module or GPS receiver module represents an extremely reliable time source. The domain controller, which was configured as forest master, and/or the PDC emulator (Primary Domain Controller emulator, usually the first installed domain controller) are/is configured as a direct time client of the authoritative "TimeServer" time source. The procedure for this is described by Microsoft in: Configuring the Windows Time service to use an external time source How to configure an authoritative time server in Windows Server 2003: http://support.microsoft.com/kb/816042/EN-US/ See topic:
All other plant PCs are automatically time clients of the PDC emulator through their membership of the domain. Since the Windows-internal time synchronization is too infrequent for runtime operation of a plant, WinCCServer01 and WinCCServer02 are additionally configured as "Slave clocks of the PDC emulator using WinCC time synchronization. Any other domain controller is configured as a substitute "Master clock.
5-18
Figure 5-17 WinCC time synchronization with domain controller in the server project
5-19
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as "Slave clocks of the domain controllers or the connected WinCC servers using WinCC time synchronization in their own projects and are synchronized with the clock of the respective domain controllers or WinCC servers via the "terminal bus" during runtime of their projects.
Figure 5-18 WinCC time synchronization with domain controller in the client project
5-20
Figure 5-19 WinCC time synchronization with connected WinCC server in the client project
5-21
Planning Time Synchronization WinCC PCs, such as WinCCClient02 or CS, for which WinCC time synchronization is not available, are synchronized via the DCF77 reception service, which must be installed separately. It can use one of the two domain controllers or WinCC servers as the master clock.
Figure 5-20 Setting the DCF77 reception service on the client without WinCC time synchronization
5-22
5.4
Time Synchronization in a Windows Active Directory Domain With a Central Plant Clock
Example configuration Windows domain with a central plant clock
Figure 5-21 Windows domain with a central plant clock
5-23

The SICLOCK TM/TS connected to the plant bus as the central plant clock transmits a highly accurate broadcast time signal on the plant bus. It synchronizes its own time of day with a connected DCF77 radio module or GPS receiver module. All ASs are configured as slave clocks. The interface modules of the WinCC servers, e.g., CP 1613, are set to transmit and receive these time-of-day frames. Set the interface modules for the plant bus by selecting the menu command "Start > SIMATIC > SIMATIC NET > Configuration Console".
5-24
Planning Time Synchronization If the box is grayed out on the "Activate time-of-day adjustment on the CP 1613" screen and "Time-of-day adjustment" is deactivated, the CP 1613 must first be switched to "PG mode".
5-25
Planning Time Synchronization "Time-of day adjustment" can then be activated. You must then reset the mode to "Configured mode".
The WinCC servers function as what are known as cooperative masters. Only when a CP1613 on the plant bus is not receiving a broadcast time signal (from the central plant clock) will WinCC time synchronization switch to "Master" clock mode and itself transmit broadcast time signals to the plant bus as a substitute for the central plant clock, which has probably failed. This is described in more detail in the following section.
5-26

The SICLOCK TM/TS central plant clock with a DCF 77 radio module or GPS receiver module is an extremely reliable time source. The domain controller, which is configured as a forest master, and/or the PDC emulator (Primary Domain Controller emulator, usually the first installed domain controller) is connected directly to the central plant clock using a serial cable. A "DCF 77 reception service" to be installed separately continually synchronizes this domain controller with the central plant clock with a high degree of precision. Set the DCF77 reception service by selecting the menu command "Start > Settings > Control Panel > DCF77 Reception Service".
Figure 5-25 DCF77 reception service on the domain controller
This domain controller is then configured as the authoritative time source. The procedure for this is described by Microsoft in: Configuring the Windows Time service to use an internal hardware clock How to configure an authoritative time server in Windows Server 2003: http://support.microsoft.com/kb/816042/EN-US/ See topic:
All other plant PCs are automatically time clients of the PDC emulator through their membership of the domain. Since the Windows-internal time synchronization is too infrequent for runtime operation of a plant, WinCCServer01 and WinCCServer02 are additionally configured as "Slave clocks of the PDC emulator using WinCC time synchronization. Any other domain controller is configured as a substitute "Master clock.
5-27
Figure 5-26 WinCC time synchronization with domain controller in the server project
5-28
Planning Time Synchronization The WinCC clients WinCCClient01 and WinCCClient02 are configured as "Slave clocks of the domain controllers or the connected WinCC servers using WinCC time synchronization in their own projects and are synchronized with the clock of the respective domain controllers or WinCC servers via the "terminal bus" during runtime of their projects.
Figure 5-27 WinCC time synchronization with domain controller in the client project
5-29
Figure 5-28 WinCC time synchronization with connected WinCC server in the client project
5-30
Planning Time Synchronization WinCC PCs, such as WinCCClient02 or CS, for which WinCC time synchronization is not available, are synchronized via the DCF77 reception service, which must be installed separately. It can use one of the two domain controllers or WinCC servers as the master clock.
Figure 5-29 DCF77 reception service on the client without WinCC time synchronization
5-31
5-32
Implementing Patch Management

Comprehensive information about patch management is available on the Internet at http://www.microsoft.com/technet/security/prodtech/sus/secmod198.mspx A substantial portion of the following chapter has been taken from the this site and adapted for a WinCC system.
Principle: Management of software updates and security patches

In order to avoid dangerous situations such as those encountered in the past primarily in relation to security vulnerabilities and viruses, there must be a method for fast, controlled deployment and installation of new security patches, updates and hotfixes. Unlike old systems, modern networked visualization systems must be capable of overcoming prevailing detected security problems using the latest security patches available.
Microsoft patch management process

The patch management process recommended by Microsoft is a four-phase management method for software updates designed to enable your company to control the deployment and maintenance of software updates in a production environment.
Figure 6-1 Microsoft patch management process
6-1

Phase Assess Description The process starts with an assessment of the equipment in a production environment and the potential security threats and vulnerabilities, and also asks if your organization is ready to respond to new software updates. Your goal during the Identify phase is to discover new software updates in a reliable way, determine whether they are relevant to your production environment and determine whether an update represents a normal or emergency change. Your goal during the Evaluate and Plan phase is to make a go/no-go decision to deploy the software update and determine what is needed to deploy it. You should also test the software update in a production-like environment to confirm that it does not compromise business critical systems and applications. Your goal during the Deploy phase is to successfully roll out the approved software update in your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) you have in place.
Identify
Evaluate and plan
Deploy
Patch management with the Software Update Services (SUS)

Software Update Services (SUS) enable you to automatically install important updates and security rollouts on computers across the entire network without you personally needing to search for each computer or write a script. For additional information about the use of SUS, see: Section 6.2 "Software Update Service" http://www.microsoft.com/technet/security/prodtech/sus/secmod198.mspx
Patch management with Systems Management Server (SMS)

The Systems Management Server (SMS) is a Microsoft tool for managing configurations of and changes to Windows operating systems for servers and workstations. You can find extensive information about patch management with SMS at: http://www.microsoft.com/technet/prodtechnol/sms/sms2003/default.mspx
Patch management with the Windows Software Update Services (WSUS) 2.0
http://www.microsoft.com/technet/technetmag/issues/2005/11/HandsOn/default.aspx
6-2
6.1

This section is intended to support you in developing and automating the patch management process.
Patch management process

A patch management process consists of the following phases:
Phase Detect Assess Description With the support of tools such as MBSA you can scan your system for missing security patches. The detection process must be automated to trigger the patch management process. If the required updates are not installed, determine the severity of the problems for which the patch is intended and the preventive factors that may affect your decision. By comparing the problems with the preventive factors, you can determine if the security risk represents a threat to your current environment. If the available security measures do not cover the security risk, download the patch for testing. Install the patch on a test system and test the effect of the update on your production configuration. Make the patch available to the plant PCs. Make sure that there are no negative effects on your applications. Implement your rollback or security response plan as needed. Subscribe to the security bulletin notifications for information about newly discovered security vulnerabilities and restart the patch management process from the beginning.
Obtain Test Deploy Manage
Current FAQs
When deploying security patches in plants running WinCC, read the latest FAQs available on the Internet at http://support.automation.siemens.com/. The following FAQs are important: FAQ 22016868 FAQ 18752994 http://support.automation.siemens.com/WW/view/en/22016868 http://support.automation.siemens.com/WW/view/en/18752994
6-3
6.1.1
How to Detect a Security Vulnerability With MBSA
Using MBSA
The Microsoft Baseline Security Analyzer (MBSA) can be used for the following tasks: Scanning one or more computers for vulnerabilities Determining the availability of security updates Graphic user interface Command line
MBSA can be used in two modes:
Either mode can be used to scan one or more computers.
Note
The logon account required for executing MBSA must be a member of the administrator group on the computers to be scanned. Use the net use \\computername\c$ command to check if the required access rights and permissions are available. The "computername" refers to the network name of the computer to be scanned for missing patches. First deal with any problems regarding access to administrative privileges before scanning remote computers with MBSA.
6-4
How to manually detect missing updates using the graphical user interface in MBSA
1. Start MBSA by double-clicking the desktop icon or selecting MBSA in the "Programs" menu. 2. Click "Scan a Computer". MBSA scans the local computer with the default setting. To scan multiple computers, click "Scan Multiple Computers" and then select a number of computers or an IP address range. 3. Select all check boxes (see Figure 6-2). 4. Click "Start Scan". Your server will now be analyzed. Once the scan is complete, MBSA displays a security report and saves this report in the directory %userprofile%\SecurityScans. In the following example, all boxes have been checked for scanning IP address 192.168.25.25 (WinCCClient01, see Figure 2-4). The subordinate SUS server (SEC-CA) is also checked.
Figure 6-2 MBSA computer scan
5. Once the scan is complete, click the link next to the negative items for details of the results (see Figure 6-3); a list of the security updates that have not yet been installed will appear. The Microsoft Security Bulletin reference number is displayed. You can obtain additional information about a bulletin by clicking the reference.
How to detect missing updates using the command line interface in MBSA
Go to the MBSA installation directory in a command line window and enter the following command: mbsacli /i 192.168.25.25 /sus "http://192.168.125.53/" This opens the same report that is available in the graphic user interface. Here too, the report is saved in the directory %userprofile%\SecurityScans.
6-5
How to analyze the generated report

1. Start MBSA by double-clicking the desktop icon or selecting MBSA in the "Programs" menu. 2. Click "Pick a security report to display" and open the report (or reports if you have scanned multiple computers). 3. To display the results from a scanned computer, place the mouse pointer on the name of the computer in the list. The reports are listed in the order of their timestamp.
Explanation of the MBSA results
Figure 6-3 MBSA scan results
The top half of the MBSA screenshot shown in Figure 6-3 is self-explanatory. A red "X" indicates that a serious problem has been found. To display a list of missing patches, click the corresponding Result details link.
6-6
Searching for security updates

Searching for security updates can result in two types of problem: Missing patches Patches cannot be confirmed
For both types, links are available to the relevant hotfix and security bulletin sites that provide information about the patch as well as download instructions.
Missing security update

Missing patches are indicated by a red "X". Click the Result details in Figure 6-3 to access the following information:
Figure 6-4 MBSA missing security update
Unconfirmed security update

A blue asterisk indicates that a patch cannot be confirmed. This occurs when your system has a file that is newer than a Security Bulletin file. This may happen if you have installed a new version of a product that updates a common shared file.
Figure 6-5 MBSA unconfirmed security update
If there is an update that cannot be confirmed, check the information in the bulletin and follow the instructions for installing the patch or changing the configuration.
Additional information
Additional information about patches that cannot be checked with MBSA is available in Microsoft Knowledge Base Article 306460, "HFNetChk Returns Note Messages for Installed Patches".
6-7
6.1.2
Assessing Security Vulnerabilities

You need to use the list of missing patches detected by MBSA to assess whether or not the security vulnerability poses a substantial risk. You must carefully weigh two factors, the security risk of uninstalled security patches on the one hand and the effort required for installation on the other (the computer may need to be rebooted). Microsoft Security Bulletins contain technical information you can use to determine the degree of threat posed by the security vulnerabilities in your system.
Security Bulletins
You can assess the risk of an attack by reading the following security bulletins: Technical information about what an attacker needs to exploit the security vulnerabilities described in bulletins. Physical access may be required for an attack, for example, or the user may have to open a harmful e-mail attachment. Mitigating factors you need to assess in light of your security policy to determine how much you are affected by a security vulnerability. A patch might not be absolutely necessary because of your security policy. If you are not using the index service on your server, for example, there is no need to install a patch against a security threat in the service. Assessing threats to set priorities. Assessing the severity of threats involves several factors. These include the role of the computer whose security may be endangered and the extent to which this computer is affected by the security vulnerability.
Note
If you are using an affected product, you must almost always install the patches for security vulnerabilities that are characterized as critical or important. Patches rated as critical should be installed as soon as possible.
6-8
6.1.3
Obtaining Software Updates and Security Patches

An SUS server can be used in plants running WinCC. You can use Microsofts Software Update Service (SUS) to deploy software updates and security patches on all plant PCs quickly and effectively. The SUS server allows an Administrator to view all updates and approve only those that are actually required for the plant PCs.
Additional information
You can find detailed additional information in 6.2 Installing and Configuring the Software Update Service (SUS).
6.1.4
Testing Security Patches

Any patches that the scan says need to be installed should first be installed in a test environment to avoid impairment of plant operations. FAQ 18752994 http://support.automation.siemens.com/WW/view/de/18752994 generally permits the use of Microsoft security patches in plants running WinCC.
6.1.5
Deploying Security Patches

Once you have ascertained that it is safe to install the patch, deploy the update reliably and efficiently on your production servers. There are a variety of options for deploying patches throughout the company. These include: Using the Software Update Service (SUS) Using the Systems Management Server (SMS) Using the Windows Software Update Service (WSUS)
6.1.6
Maintaining the Patch Environment

The patch management cycle also includes keeping your servers up-to-date using the latest patches. The patch management cycle begins again when you learn that new security vulnerabilities have been found and missing security updates are available. You must complete the entire patch management cycle to bring your servers up-to-date with the latest security patches. To restart the cycle, proceed as follows: Perform security assessments Use the security bulletin notification services
6-9
6.2
Installing and Configuring the Software Update Service (SUS)

This section includes the information you need to use the Software Update Service for installing and configuring updates with WinCC. It is based on information made available by Microsoft on the Internet. German: http://www.microsoft.com/germany/technet/datenbank/articles/600220.mspx English: http://www.microsoft.com/technet/security/tools/sadsus1.mspx
The installation of the SUS-CA server is described in our example.
6.2.1
Basics of SUS
Software Update Service (SUS)

SUS provides a way to deploy crucial updates (hotfixes that solve non-security-related bugs) and crucial security updates to computers throughout a network. It does not require you to access each computer physically or write any scripts. SUS is very flexible in this respect. You retain control of which updates to deploy, when to deploy them and on which computers they should be installed.
Limitations of SUS
Limitations of SUS: SUS does not support Windows NT or Windows 9x computers. SUS does not support Microsoft Office or Microsoft BackOffice products. SUS updates the OS, Microsoft IIS and Microsoft Internet Explorer (IE) only. Although it supports many languages, SUS does not yet support every language supported by Windows XP and Windows 2000. SUS does not have an uninstall option to automatically remove an update it has deployed. Therefore, it is important to test updates before installing them with SUS. You can also use the manual uninstall method to remove updates.
6-10
Components of the Software Update Service (SUS)

SUS consists of three components: SUS this component runs on your server Automatic Updates (AU) this component runs on client machines Group Policy settings for AU clients
The SUS server is basically an IIS Web page. You use Web pages to administer and monitor SUS. AU clients use Web pages to download updates. Microsoft stores the updates on its Windows Update servers. The SUS Windows Update Synchronization Service handles the periodic synchronization between the SUS server and the Microsoft Windows Update servers. AU clients use HTTP to communicate with an SUS server. The SUS server also uses HTTP. The AU clients periodically contact the Windows Update servers and synchronize the database of updates available for download. This database is called the catalog. You can perform catalog synchronizations on demand, or you can schedule them. The catalog does not contain the actual updates. It contains a description of the updates and information that the AU clients need to determine whether an update is applicable for their XP or Win2K installations. You can configure the SUS server to download and install the updates for each language you choose to support, or you can leave the updates on the Windows Update servers. In this case, the AU clients download and install the updates. No matter which configuration you choose, SUS checks the updates against Microsoft's public certificate before downloading and installing the updates. This prevents imposters using SUS to insert malicious code into your computers. Although a single process in many programs, downloading and installation are two separate processes in SUS. Lets say that you want to have the AU clients download and install updates. The AU clients periodically check your SUS server for any newly approved updates. When an AU client finds an update that it needs to download, it begins the download process by connecting to the appropriate Windows Update server. You can configure the AU client to automatically download and install the update. Alternatively, you can configure it to notify the user that an update is ready for download. In the latter case, the AU client waits for the user to initiate the download. Once the AU client has downloaded the update to a temporary folder, the installation process begins. The AU client checks the options you set to determine when to install the update. You can configure the AU client to automatically install updates according to a schedule you have set. Alternatively, you can configure the AU client to notify the user that updates are available for installation. It will then wait for the user to initiate the installation. After installing the updates, the AU client restarts the computer if required. If a user is currently logged on, the AU client gives the person 5 minutes to save his or her work, close all programs, and log off. The AU client then restarts the computer. Because the AU client uses the Qchain tool, it only needs to restart the machine once, even if it installs several updates.
6-11
Rules for Patch Management

All AU clients, including all plant PCs, must have access to SUS via http. New security patches on the SUS server must be deployed for the production operation following successful testing in the test environment. The following must be performed in accordance with configuration: The authorized administrator must download the new security patches to the plant PCs and perform installation step-by-step. The new security patch must be downloaded and a hidden installation performed. The patches are activated by the authorized administrator on the next scheduled reboot.
The configuration of the AU clients must be performed according to a Group Policy. Once the installation of the patches on the AU clients is complete, they must not be rebooted automatically. Scan data traffic during download and deployment of the patches using an application firewall with a virus scanner (for example, Microsoft Internet Security And Accelerator Server and the TrendMicro virus scanning module).
6-12
Example configuration SUS Server

Configuration: Higher-level SUS server with firewall-protected Internet access to the MS Windows Update Web site Synchronization of the available updates of the lower-level SUS server through a firewall-protected http connection to the higher-level SUS server Placement of the SUS server ideally in a perimeter network
The following figure shows the placement of the higher-level SUS server (A) in the ERP and the placement of the lower-level SUS server (B) in the MES. The lower-level SUS-CA server downloads its patches from the higher-level SUS-ERP server over the MES firewall via http. All plant PCs receive their patches from the lower-level SUS server. For this to work, HTTP download from the lower-level SUS server must be permitted at all access points. To also allow a dial-up support computer (D) to install any missing updates before it accesses the plant, it must also be given access to the lower-level SUS server while it is still in the quarantine network. The MES network serves as the quarantine network.
Figure 6-6 SUS placement
6-13
6.2.2
Installing SUS
To use SUS, you need a server on which to run SUS. AD domain controllers and machines running Microsoft Small Business Server (SBS) cannot be SUS servers. The SUS server as well as the domain controllers and workstations that SUS will manage all need to run: Windows 2000 SP2 or higher IE 5.5 or higher The SUS server also needs to run IIS 5.0 or higher.
You can install SUS on an IIS server that already hosts other Web sites. SUS can coexist with other Web sites because SUS uses only three IIS components: The Common Files folder Microsoft Management Console (MMC) Internet Information Services snap-in World Wide Web Server (not on a WinCC PC, however)
SUS is usually installed in the default Web site. If you do not have a default Web site or you have a different Web site bound to port 80, see Appendix A in the Microsoft white paper "Deploying Microsoft Software Update Services". To access this paper, click the Software Update Services Deployment White Paper link on the Software Update Services Web page: http://www.microsoft.com/Windows2000/downloads/recommended/susserver/default.asp . The SUS Web site also has a link to download SUS. Once you have downloaded SUS, open file sussetup.msi to start the Setup Wizard. The welcome page and end user license agreement (EULA) (which you must accept) appear; when prompted, select the Typical installation option and click Next. Make a note of the SUS server's URL. You will need this URL to configure the AU clients. Click Install. During installation, SUS runs the IIS Lockdown Tool to secure IIS on the SUS server. This lockdown prevents an intruder who has cracked into your SUS server from accessing AU clients. The IIS Lockdown Tool disables options that present security risks. Therefore, it might break existing Web applications. If your SUS server hosts other Web applications and those applications depend on components such as WebDAV (WWW Distributed Authoring and Versioning), Microsoft FrontPage Server Extensions or FTP, you might run into problems. Although you can get SUS to coexist with these applications, you might need to enable certain options again after installing SUS. For a full description of the changes SUS makes to IIS, see Appendix A in the "Deploying Microsoft Software Update Services" white paper. At the end of the installation routine, the Wizard displays the Finish page along with the URL for the SUS administration Web page. Make a note of this URL. You will need it to administer the SUS server in the future.
6-14
6.2.3
Configuring the SUS Server

You now need to configure the SUS server. Through SUS server configuration, you can control how and when the SUS server synchronizes with the Windows Update servers and which updates to approve for deployment. You can configure your SUS server on any network computer running IE 5.5 or higher. Open Internet Explorer and enter either a NetBIOS name (e.g., //SUS-CA/SUSAdmin) or a DNS name (e.g., //sus-ca.laboratory.siemens.net/SUSAdmin) as a URL. The welcome page shown in Figure 6-7 appears. The left pane of this page contains several important links, including the "Set Options" link, the "Synchronize Server" link and the "Approve Updates" link.
Figure 6-7 SUS welcome page
6-15
Implementing Patch Management The Set Options link. Click here to open the Options page, which contains 5 sections: Under "Select a proxy server configuration", you need to specify whether to use a proxy server configuration. If your network has to access the Internet via a proxy server, you can configure the SUS server to authenticate and use the proxy server to access the Windows Update servers. However, for this example, select the "Do not use a proxy server to access the Internet" option.
Figure 6-8 SUS configuration of the proxy server
Under "Specify the name your clients use to locate this update server" you can, if necessary, enter the name of your SUS server. By default, the "Server name" edit box will contain your SUS server's NetBIOS name. If you have disabled NetBIOS name resolution on your network, however, you can change it to the DNS name or IP address. You will also need to enter the SUS server name again in the AU client configuration. Unfortunately, it is not clear why you have to change the settings on both the server and the client.
Figure 6-9 SUS configuration of the server name
6-16
Implementing Patch Management Under "Select which server to synchronize content from" section, specify the data source with which you want the SUS server to synchronize. There are two options: the "Synchronize directly from the Microsoft Windows Update servers" option, which is the default setting, and the "Synchronize from a local Software Update Services server" option, which lets you synchronize your SUS server with another SUS server, for example, to accommodate scalability needs. If you are synchronizing with another SUS server, enter that server's NetBIOS or DNS name. If you select the "Synchronize list of approved items updated from this location (replace mode)" option, your SUS server will not only synchronize its own catalog of updates but will also use the other server's list of approved updates.
Figure 6-10 SUS configuration of the update source
Under "Select how you want to handle new versions of previously approved updates", you can specify how you want SUS to handle new versions of updates. Sometimes a bug in an update comes to light and Microsoft has to re-approve the update. What happens if you have already approved this update? Do you want SUS to direct AU clients to automatically install the new version? If so, select the Automatically approve new versions of previously approved updates option. However, if you would rather have SUS treat the new version of the update as a new update and wait for you to approve it before deployment, select "Do not automatically approve new versions of previously approved updates. I will manually approve these later."
Figure 6-11 SUS configuration of updates
6-17
Implementing Patch Management Under "Select where you want to store updates", specify the location in which you want to store updates. Remember that SUS always downloads the catalog. However, you can control whether you want to download the updates to the SUS server or leave the updates on the Windows Update server. For this example, select "Save the updates to a local folder". Then select the languages for which you want to save updates.
Figure 6-12 SUS language configuration
Once you have completed these five steps and selected the options you require, click "Apply" to save your selections. You are now ready to configure the SUS synchronization schedule and approve the updates you want to deploy.
6-18
Implementing Patch Management The "Synchronize server" link. Click the "Synchronize server" link to open the "Synchronize server" page. This page displays two options: "Synchronize now", which you can click to perform an immediate synchronization manually, and "Schedule Synchronization", which you can click to create a schedule for automatic synchronization. Click "Schedule Synchronization". As you can see in Figure 6-13 you can start synchronization on request only (i.e., without a schedule being configured), configure synchronization to take place on a daily basis at a specific time or configure synchronization to take place once a week on a specific day at a specific time. If you decide to create a schedule, change the preset time (e.g., 03:00). The Windows Update servers may be overloaded at this time, as all the default-configured SUS servers will be submitting synchronization requests. You can also configure how many times SUS should retry synchronization if a synchronization attempt fails. The default setting is three attempts. SUS waits 30 minutes between attempts.
Figure 6-13 SUS schedule configuration
In our example, SUS has been configured to synchronize daily at 01:00. Notice how the "Synchronize server" page now specifies the date and time of the next scheduled synchronization. Click "Synchronize". SUS displays the system with which it is synchronizing along with the progress of that synchronization.
6-19
Implementing Patch Management The Approve updates link. Click this link to display a list of all updates in the catalog and configure the status of these updates. This list appears in Figure 6-14. You can sort the list by update date, title, platform (Windows XP or Windows 2000), or status. In terms of its status, an update can be "Approved" (approved for distribution to the appropriate AU clients), "Not Approved", New (a recently downloaded update that has not been approved), "Updated" (a new version of a previously approved update) or "Unavailable" (update is not available for download).
Figure 6-14 Approving SUS updates
The list of updates in Figure 6-14 shows that all IE security updates associated with KB867282 have been approved. These include the IE for Windows XP, IE for Windows Server 2003, IE 6 SP1 and IE 5.01. Although all these updates have been approved, each AU client installs only the update appropriate for its IE version. To approve one or more updates, check the box next to each update, then click "Approve". Confirm your selection by clicking "Yes" in the prompt that appears. SUS will then display a dialog box listing the updates you have selected and prompting you to accept the EULA for these updates. Depending on your screen resolution and browser settings, the "Accept" and "Don't Accept" buttons might not appear. This happens if the dialog box is too small to display all the updates. Unfortunately, you cannot resize this dialog box. However, you can place the mouse pointer in the list box and press the Tab key to make both buttons visible. Click "Accept" to approve the updates for deployment on the AU clients.
6-20
6.3
Configuring the AU Clients
Installing the AU clients

In order for plant PCs to be able to receive updates from the SUS server, the AU client must be installed on them. This occurs automatically with the following operating systems: Windows 2000 SP3 and higher Windows XP SP1 and higher Windows Server 2003
Because WinCC Version 6 systems need one of these operating systems, the AU client is always installed. Basically, the configuration only involves changing a few registry values. Since it is impractical to change these registry values manually, you should use a Group Policy that can be edited using the Microsoft Management Console (MMC) shown in Figure 6-15.
Figure 6-15 AU clients: Configuring automatic updates
6-21
Implementing Patch Management 1. Double-click the "Configure Automatic Updates" policy. Select "Enabled" in the properties window (see Figure 6-16). In the Configure automatic updates drop-down list box, select the option that matches your requirements: 2 - Notify for download and notify for install 3 - Auto download and notify for install 4 - Auto download and schedule the install
Figure 6-16 AU clients: Configuring automatic updates
2. Once you have completed the configuration of the policy, click OK.
6-22
Implementing Patch Management 3. Double-click the "No auto-restart for scheduled Automatic Updates installations" policy. Select "Enabled" in the properties window shown in Figure 6-17.
Figure 6-17 AU client - No auto-restart
4. Once you have completed the configuration of the policy, click OK.
6-23
Implementing Patch Management 5. Double-click the "Specify intranet Microsoft update service location" policy. Select "Enabled" in the properties window shown in Figure 6-18. In the "Set the intranet update service for detecting updates" edit box, specify the URL you wrote down earlier (e.g., the URL of the SUS server that the client should check periodically for new updates). In the "Set the intranet statistics server" edit box, specify the URL of the IIS server to which the client should report its activities (usually, this URL is the same as the previous one). Click OK and close the Group Policy Editor. Apply your settings.
Figure 6-18 AU client - Configuring the intranet update service location
6. Once you have completed the configuration of the policy, click OK. 7. Force the application of the Group Policy. Computers reapply Group Policies every 90 minutes, with a random offset of up to 30 minutes. So, you might have to wait as long as 2 hours for computers in your domain to start checking the SUS server for approved updates. To force the immediate application of the Group Policy, log onto the computer, open a command shell window, and run the following command: On computers with Windows 2000: secedit /refreshpolicy machine_policy On computers with Windows XP or Windows Server 2003: gpupdate
The computer should now start downloading all updates you have approved.
6-24

Single-user system The procedure described above is too tedious for a single-user system. In this case, it is sufficient to enable the "Automatic Update Service" in Windows XP or Server 2003 and to use MBSA from time to time to check if all updates have actually been installed.
Multi-user system We recommend you proceed exactly as described above for multi-user systems.
Large system In large systems, it is absolutely essential to follow the instructions given above precisely in order to avoid security risks.
6-25
6-26
Principle: Closed system in accordance with FDA

Secure network access points are an absolute necessity for a closed system. The following methods of achieving this are described in this chapter: 1. Using firewalls for access points 2. Using virus scanners for access points 3. Integration of remote WinCC PCs into the closed system In order to configure firewalls, virus scanners and IPSec, the approved and necessary data traffic must be known and identifiable.

The following section, "Mapping Data Traffic", primarily refers to the "large system" type. Only the parts relating directly to the control layer are relevant for a "multi-user system".
7.1
Mapping Data Traffic
Overview of the data traffic in "Plant.com"

In Figure 7-1 the "Plant.com" example has been simplified to provide a clearer view of the data traffic. The terminal bus (A) on the control layer contains one WinCC server and one WinCC client. Communication between the two does not require encryption or protection with complex measures, because it takes place in the security cell of the control layer. User permissions are the only security measures used. They prevent unauthorized operations and maloperation. The MES layer (B) is used for data transfer. Specific network subscribers on this network can be trusted if the following security precautions have been taken (all required security updates have been installed, up-to-date virus scanner, restricted network access, access exclusively by authorized and trusted personnel). Subscribers on the ERP layer (C) only have access to the MES layer (B) and to the approved Web Server. Access to the latter is only possible using auditable mechanisms (http) through the MES firewall with a configured virus scanner module.
7-1
Secure Network Access to Security Cells No communication takes place between the ERP layer (C) and control layer (A).
Figure 7-1 Overview of data traffic
7-2
Detailed mapping of data traffic

Data traffic on the control layer: Direct communication between the WinCC server and WinCC client is permitted on the terminal bus (A) and must not be inhibited by encryption.
Figure 7-2 Data traffic on the control layer
7-3
Secure Network Access to Security Cells Data traffic between the control and MES layers: Protected and securely authenticated communication between the WinCC server (A) and the remote WinCC client (B) is permitted, but it must always be verified. This may result in slight delays and reduced performance.
Figure 7-3 Data traffic between the control layer and MES layer
7-4
Secure Network Access to Security Cells Data traffic to the ERP layer via SUS-CA: Access to the SUS-CA server via HTTP is permitted for every plant computer.
Figure 7-4 SUS data traffic
7-5
Secure Network Access to Security Cells Data traffic to the ERP layer with access by Web clients: A Web client (C) on the ERP layer is permitted to access a Web server (B) on the MES layer via the MES firewall.
Figure 7-5 Web client data traffic
7-6
7.2
7.2.1
Using Firewalls for Access Points

General Information About Firewalls
Defined in general terms, a firewall is not only a piece of technical equipment. Its true worth lies in its ability to provide an integrated security concept for protecting a network and its subscribers. That is why this chapter should not be viewed in isolation but should instead be considered in combination with all the other chapters of this manual. A plant will be far from secure if you only follow the suggestions presented in this chapter. In the following, the term firewall refers to firewall products, that is to say firewalls such as ISA Server 2004, Windows Firewall and similar. Optimum protection against spying on important information, unauthorized modification of data, network attacks, the spreading of viruses, and incorrect responses can only be ensured if a carefully planned strategy is adopted.
7.2.2
Using the Microsoft ISA Server as a Firewall
Microsoft ISA Server

In contrast to many other firewall products, the Microsoft ISA Server (Internet Security & Acceleration Server) offers the following additional features: Filtering of http traffic on the application layer Inspection of http traffic with a virus scanner module Permission for passing network traffic using computer and/or user authentication
Receiving and decrypting of IPSec data traffic as a proxy, thereby offering the capability to analyze for anomalies (see 7.4.1) Advantage In addition to allowing you to block the required and particularly vulnerable ports of the file and Windows network services at access points, Microsoft ISA Server allows you to use certificate-based IPSec connections to make these specific ports available again to special computers and users. Requirements There are no other unprotected access points to the respective security cell. The special computers and users who are permitted access must be configured with at least an equal amount of care and protection as the security cell itself. They are defined as "trusted".

Data traffic defined in this way is: Unique Authenticated Auditable for harmful content Controllable Uninhibited in its important connections
7-7
Example configuration Overview of the data traffic in "Plant.com"

As described in Section 7.1 "Mapping Data Traffic", configuration of the firewall requires a good understanding of the data traffic. Figure 7-6 shows the data traffic permitted between security cells. You must configure the firewall so that it effectively blocks all other data traffic.
Figure 7-6 Overview of data traffic
7-8
Configuration of the ISA Server 2004 Firewall Control System

The ISA Server is a powerful firewall that offers many more options than a normal desktop firewall. For this reason, is not possible to go into detail about the exact configuration of an ISA Server in this manual. For more information, refer to the ISA Server 2004 descriptions provided by Microsoft. The following rules should be applied to a factory-configured ISA server to safeguard data traffic between the MES and control layers as described above:
Figure 7-7 ISA Server Configuration
FROM: "Internal SECERP", "Internal SECMES" TO: "Internal SECERP", "Internal SECMES" Protocols: HTTP, HTTPS Allow: All Users FROM: "Internal SECControl", "Internal SECMES" TO: "Internal SECControl", "Internal SECMES" PROTOCOL: HTTP, HTTPS ALLOW: All Users FROM: "Internal SECControl", "Internal SECMES" TO: "Internal SECControl", "Internal SECMES" PROTOCOL: ICE Client, ICE Server, IPSec-ESP, IPSec-ESP Server, IPSec-NAT-T Client, IPSec-NAT-T Server, L2TP Client, L2TP Server, PPTP, PPTP Server ALLOW: All Users
7-9
Example configuration - Network access points for the firewall

Figure 7-8 shows the three access points in the "Plant.com" example plant. The DCS firewall to protect the control layer (A), the integrated firewall of the support dial-up server (B) and the connection of the complete plant to the office network ERP (C).
Figure 7-8 Network access points for the firewall
7-10
7.2.3
Using Local Firewalls on WinCC PCs
Note
WinCC V6.0 SP4 and earlier do not support the activation of a local firewall on a WinCC PC.

Single-user system Since the network adapter forms the access point in a single-user system, you need to enable and configure the local firewall. The required settings, however, cannot be published at this date. They will be made available in the next version of this document following long-term testing.
Multi-user system,
large system
Since the WinCC PCs are located within a security cell, only a few minimal settings are needed for the local firewall. The required settings, however, cannot be published at this date. They will be made available in the next version of this document following long-term testing. This is why only the firewall properties at the access points are used at this time.
7-11
7.3
7.3.1
Using Virus Scanners for Access Points

Using Local Virus Scanners on WinCC PCs (Distributed Access Points)
If a virus scanner at the central access point is not sufficient or practical, "inbound" data traffic must be scanned for viruses on each individual plant PC. As a result, each plant PC is its own access point, and the attainable protection for the plant is only as high as that of the individual plant PCs combined.
Rules for local virus scanners

Manual search: A manual search must not be performed on WinCC PCs during process operation (Runtime). It should be performed at regular intervals, for example, during scheduled maintenance on all plant PCs. Real-time search: It is sufficient to scan inbound data traffic during a real-time search. Scheduled search: Scheduled searching must be disabled.

Inbound data traffic is free of viruses. The entire plant PC is free of viruses.
Approved virus scanners for WinCC V6.0 SP2 and higher (acc. to WinCC V6.0 SP4 release notes)
The following virus scanners have been tested for compatibility with WinCC V6.0 SP2 and higher: Symantec AntiVirus Corporate Edition V8.1 and higher Trend Micro Server Protect V5.56 and higher Trend Micro Office Scan NT V5.02 and higher
Note
At the current time, all virus scanners must be disabled when operating a WinCC long-term archive server, due to possible interference from the scan.
7-12
Single-user system Since the network adapter forms the access point in a single-user system, you need to install and configure a local virus scanner.
Multi-user system,
large system
With a multi-user system or large system, it is practical to install a server-client architecture for virus scanners. Figure 7-9 shows the basic principle using Trend Micro OfficeScan V7 as an example. The SUS-CA server operates as the OfficeScan server in our example plant. This PC, therefore, now performs three functions: Server for the Software Update Service Stand-alone certification authority (see Requesting and Installing Certificates) OfficeScan server
All plant PCs map the OfficeScan clients.
Figure 7-9 Virus scanner architecture
7-13
7.3.2
Using a Microsoft ISA Server Virus Scanning Module at the Central Access Point of a Plant
Virus scanning modules such as the "Trend Micro InterScan Web Security Suite", which can be integrated as a module in the Microsoft ISA Server, use anti-virus, anti-phishing, anti-spyware, and optional URL technologies to check all passing Web data traffic. With the Microsoft ISA Server and an integrated virus scanning module, IPSec connections can be received as a proxy for protected plant PCs, unpacked and their Web content checked for viruses. They are only forwarded to the destination computer if their content has been deemed to be safe.
Rules for monitoring data traffic

All data traffic passing through this access point must be inspected. No exceptions that would allow insecure communication are permitted. In other words, it must not be possible for data traffic to bypass the central access point.

All Web data traffic is trustworthy and free of viruses.
7-14
7.4
Integration of Remote WinCC PCs Into the Closed System in Accordance with FDA
Integration into the closed system means that WinCC PCs that are physically located outside the closed system or a security cell but nevertheless have access to the plant, are included in the closed system or security cell using network technology.

This ensures the integrity of the closed system or security cell.
Rules for integration into the closed system

Since the WinCC PCs outside the closed system have similar access privileges to those within it following integration, these computers must first be made trustworthy as described below. This means: The latest security updates must be installed. An up-to-date virus scanner must be installed and appropriately configured. User management must be configured as described in "User and Access Management in WinCC and Integration Into Windows Management". This ensures that "ClientDesktopUser" cannot make changes to the operating system, for example. This also applies to the software that runs in this context. Network access to these WinCC PCs must be restricted to the required level. For example: Under normal circumstances, no-one will require access to a standard WinCC client; only Web clients need access to a WinCC Web server via http or https. A secure authentication method must be provided to ensure that the WinCC PC to be integrated is in actual fact the computer it purports to be.
7-15

Single-user system Currently none available.
Multi-user system,
large system
Figure 7-10 shows an example for the integration of trusted computers WinCCClient02 and WinCCWebServer01 (B) into the control layer security cell via an IPSec tunnel to WinCCServer01 (A).
Figure 7-10 Integration of remote WinCC clients
7-16
7.4.1
Using and Configuring Authentication and Encryption with IP Security
IP Security
IP Security (abbreviated as IPSec) is a secure communication method that can authenticate, sign and encrypt the data traffic between two or more network nodes based on filtering rules and for the most part transparently. The additional computation required by this reduces performance, however. If the data are encrypted, the data traffic can no longer be inspected. The following options are available for secure authentication of the communicating plant PCs: Active Directory Standard (Kerberos V5 Protocol) Using a certificate from a certification authority Using a character string for protecting the key exchange
Rules for integration with IP Security

If a certificate server is no longer needed, the service must be temporarily disabled. Only the data traffic to be protected is defined by the filter rules described under "IP Security Policy" (see page 7-19 ff). The local IP Security settings must not compete with the settings required by the domain. The rules defined under "IP Security Policies" must not be changed. Each computer can have only one active IP Security Policy. Each IP Security Policy may contain several IP Security rules, lists and actions. Each IP Security rule must be described by one (and only one) IP Security list and one (and only one) IP Security action.

The "Control System" firewall with a centralized setting is responsible for protecting the plant against unknown network subscribers. This enables plant PCs within a security cell to communicate securely with other integrated plant PCs. The plant PCs can still be expanded and do not need to be adapted individually if an additional plant computer or diagnostic station is introduced.
Description of the plant configuration - Integration with IP Security

An example is presented in the following sections describing how unique machine-based certificates are used to set an IP Security Policy on a WinCC server on the control layer for communication with a WinCC client on the MES layer. A certification authority is installed on the SUS server for this. A new rule is set on all plant PCs that need to communicate with one another via an IP security tunnel. This rule is defined in the "Local Security Policy Management" console under "IP Security Policies". This rule defines the data traffic that will be permitted at the firewall for trusted plant PCs located outside the security cell.
7-17
Overview of IP Security rules and IP filter lists

IP security rules for plant PCs on the control layer for the "SIMATIC Networks" security policy:
Name of rule
Filter list
Filter action
Tunnel settings
Connection type
Authentication method
Control MES ERP HTTP
Traffic to Control Traffic to MES Traffic to ERP HTTP
Allow 3DES required Block Allow
No tunnel No tunnel No tunnel No tunnel
All All All All
Not applicable Certificate Not applicable Not applicable
Default response rule: Deactivated The names of the filter lists are chosen to reflect their function. The same applies to the filter action, "3DES required". The name should give an indication of the encryption method used. Table of IP filter lists for plant PCs on the control layer: Filter list Source address Source mask Source port Own IP address 255.255.255.255 Any Traffic to MES Own IP address 255.255.255.255 Any Traffic to ERP Own IP address 255.255.255.255 Any HTTP Own IP address 255.255.255.255 Any Own IP address 255.255.255.255 Any Destination address Destination mask Destination port 192.168.25.0 255.255.255.0 Any 192.168.125.0 255.255.255.0 Any 192.168.225.0 255.255.255.0 Any 192.168.125.53 255.255.255.255 443 192.168.125.53 255.255.255.255 80 Yes TCP Yes TCP Yes Any Yes Any Mirrored Protocol type Any
Traffic to Control
Yes
7-18
Secure Network Access to Security Cells IP security rules for plant PCs on the MES layer for the "SIMATIC Networks" security policy:
Name of rule Control MES ERP HTTP
Filter list Traffic to Control Traffic to MES Traffic to ERP HTTP
Filter action
Tunnel settings
Connection type All All All All
Authentication method Certificate Not applicable Not applicable Not applicable
3DES required No tunnel Allow Allow Allow No tunnel No tunnel No tunnel
Default response rule: Deactivated IP filter lists for plant PCs on the MES layer:
Filter list
Source address Source mask Source port Own IP address 255.255.255.255 Any
Destination address Destination mask Destination port 192.168.25.0 255.255.255.0 Any 192.168.125.0 255.255.255.0 Any 192.168.225.0 255.255.255.0 443 192.168.125.53 255.255.255.255 443 192.168.125.53 255.255.255.255 80
Mirrored
Protocol type Any
Traffic to Control
Yes
Traffic to MES
Own IP address 255.255.255.255 Any
Yes
Any
Traffic to ERP
Own IP address 255.255.255.255 Any
Yes
TCP
HTTP
Own IP address 255.255.255.255 Any Own IP address 255.255.255.255 Any
Yes
TCP
Yes
TCP
7-19
Secure Network Access to Security Cells IP filter actions for plant PCs on the control and MES layers:
Filter action
Action
IP traffic security
Communication with computers that do not support IPSec No Not applicable Not applicable
3DES required Allow (default) Block
Negotiate security Allow Block
Encryption and integrity Not applicable Not applicable
Resulting rule for the example configuration

The following rule results for a Security Policy on a WinCC server on the control layer: IP Security Policy: "SIMATIC Networks" Default response rule: Deactivated IP Security Rule: MES + 3DES required Tunnel settings: The rule specifies no tunnel Connection type: All network connections Authentication method: Certificate of a certification authority: IP Filter List: MES Description: Traffic to MES Mirrored: Yes Source address: Own IP address Source mask: 255.255.255.255 Destination address: Special IP subnet, 192.168.125.0 Destination mask: 255.255.255.0 IP protocol type: Any Description: Encryption and integrity Filter action: Negotiate security Communication with computers that do not support IPSec: None IP traffic security: Encryption and integrity. Data are encrypted, authenticated and remain unchanged.
Filter action: 3DES required
7-20
Requirements for the example configuration

The certification authority certificates must have been downloaded on both WinCCServer01 and WinCCClient02 as described in 7.5.2 "How to Download a Certification Authority Certificate". The local machine-based certificates must have been requested and installed on both WinCCServer01 and WinCCClient02 as described in 7.5.3 "Requesting and Installing a Local Computer Certificate for IPSec". IPSec data traffic on the control system firewall has been enabled.
Procedure
To create a new IP Security Policy, follow the instructions in this section. We recommend you use the available wizards. If you retain the default settings, the following wizard routines will be performed: IP Security Policy Wizard Security Rule Wizard IP Filter Wizard Filter Actions Wizard
1. Create a Microsoft Management Console (MMC) that contains the "IP Security Monitor" and "IP Security Policies on the Local Computer" snap-ins.
Figure 7-11 MMC IPSec default
Click IP Security Policies in the console tree and then on Name in the right pane. Select the menu command Action > Create IP Security Policy. Follow the instructions of the IP Security Policy Wizard until the "Properties" dialog box for the new policy is displayed. Assign the name "SIMATIC Networks" for your security policy. Deactivate the standard response rule.
2. In the properties dialog box for the new security policy, open the "Rules" tab and click "Add". Follow the Security Rule Wizard instructions and make the following settings: Tunnel settings: The rule specifies no tunnel. Network type: All network connections In the IP Filter Lists dialog box of the Security Rule Wizard, click "Add" to start a new IP filter list. Select the name "Traffic to MES".
7-21
Secure Network Access to Security Cells 3. In the "IP Filter List" dialog box, click "Add" to start the IP Filter Wizard. Make the following settings: Mirrored: Source address: Destination address: IP address: Subnet mask: IP protocol type: Enabled Own IP address Special IP subnet 192.168.125.0 255.255.255.0 Any
4. Click "OK" to close the "IP Filter List" dialog box. 5. Click "Next" in the Security Rule Wizard. 6. In the "Filter Action of the Security Rule Wizard" dialog box, click "Add" to start the Filter Action Wizard. 7. Follow the Wizard instructions and make the following settings: Name of filter action: Filter action: Communication with computers that do not support IPSec IP traffic security: 3DES required Negotiate security
None Encryption and integrity
8. Select the filter action you have just created in the Security Rule Wizard. 9. Follow the Wizard instructions and select A certificate from the following certification authority as the authentication method. Select the certification authority: Plant CA. 10. Close all dialog boxes and activate the security policy.
Figure 7-12 MMC IPSec "SIMATIC Networks"
7-22
7.4.2
Using and Configuring Authentication and Encryption with Secure Sockets Layer
SSL and https

SSL (Secure Sockets Layer) is a transmission protocol developed by Netscape that supports encrypted communication using tunneling. Today, SSL encryption today is used primarily with HTTPS. https is an acronym for hypertext transfer protocol secure and is a network protocol that supports a secure HTTP connection between Web servers and Web clients.
What do SSL and https ensure?

The use of SSL and https assures the Web client that it is actually connected to the configured Web server. Downloads of signed applications and application components (ActiveX Controls) are made verifiable for the user. If an "external" Web server makes itself available, the user can decide whether or not to perform a download. The user can check the trustworthiness of the Web server from the information displayed about the certification authority.
Example - Configuration - Connecting a WinCC Web client with https

Figure 7-13 illustrates the connection of WebClient02 to WinCCWebServer01.
Figure 7-13 Web client data traffic
7-23
Requirements for the example configuration

The certification authority certificates must have been downloaded on both WinCCWebServer01 and WebClient02 as described in 7.5.2 "How to Download a Certification Authority Certificate". Web server WinCCWebServer01 has been configured as described in 7.5.4 "Configuring SSL on a Web Server". https data traffic has been enabled on the MES firewall. The multi-client project on WinCCWebServer01 has been configured for the Web Navigator and is in runtime.
Procedure for the example configuration

1. Start Internet Explorer on WebClient02 and type in the address https://WinCCWebserver01.laboratory.plant.com/. 2. All three security certificate checks must be positive. Depending on the Internet Explorer settings, such a security notification may not be displayed even when all three checks are positive.
Figure 7-14 Valid SSL security certificate
7-24
Figure 7-15 Invalid SSL security certificate
3. Log onto WinCCWebServer01 as the user configured in the "User Administrator" editor. 4. If the WinCC WebNavigator has not yet been installed on WebClient02, this can be performed now via https. The same applies for the WinCC/WebNavigator user plug-ins. 5. The plant displays can now be displayed on WebClient02.
7-25
7.4.3
Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access
Adding Support Computers

Maintenance and support for a plant sometimes makes it necessary to temporarily add an "external" computer, i.e., a computer that does not belong to the plant, to the system. Since the entire plant has a uniform security configuration and a uniform update status, the addition of this support computer represents a high risk. It must, therefore, be ensured that the support computer poses no threat (e.g., viruses) to the plant and that it meets all security regulations. The computer may have to be reconfigured and updated before it is given access to the system.
Network Access Quarantine Control and VPN

Network Access Quarantine Control together with a VPN remote dial-up is the best way to achieve this. There are several solutions from hardware and software manufacturers to realize this method. Most of these solutions, however, are linked to the use of the manufacturers products and only provide limited configuration options for the administrator. This is why we recommend using ISA Server 2004, because it offers the most customizable configurations and provides a high degree of security compared with the standard Windows Server 2003 VPN quarantine tools. For example, only specific users can access the plant via the VPN quarantine. The following description refers exclusively to the VPN quarantine with ISA Server 2004.
Network Access Quarantine Control

Microsoft definition: http://www.microsoft.com/technet/isa/2004/plan/vpnroamingquarantine.mspx
7-26
Application of quarantine control

The quarantine control feature provides phased network access for remote (VPN) clients. Access is limited to a quarantine mode until full access to the network is permitted. After the client computer configuration is either brought into or determined to be in agreement with your organizations specific quarantine restrictions, the standard VPN policy is applied to the connection. This is done in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while the client computer is connected to your network. Although quarantine control does not protect against attackers, it is possible to verify and, if necessary, correct computer configurations for authorized users before they can access the network. A timer setting is also available, which you can use to specify when the connection will be dropped if the client fails to meet configuration requirements. The quarantine control feature can also be used in conjunction with VPN and an encrypted point-to-point link to provide protection against attackers.
VPN
Microsoft definition: http://www.microsoft.com/technet/isa/2004/plan/vpnroamingquarantine.mspx
Application of VPN
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. To emulate a point-to-point link, data are encapsulated, or packed, with a header that provides routing information. This information allows the data to traverse the shared or public network to reach its destination. To emulate a private link, the data are encrypted for confidentiality. Data intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data are encapsulated and encrypted is a VPN connection.
7-27
Operating principle
Note
We have decided to use a stand-alone ISA Server 2004 for VPN dial-up in the following example. Of course, one of the two firewalls (Figure 7-16) might also perform this job if it is an ISA Server 2004. The combination of SUS and Quarantine Control PC is also only an example. The two functions could also be separated and run on different computers.
1. First, a dial-up file must be created by "Production-Admin", for example (Section 3). This file establishes a VPN connection, checks the support computer (A), installs the security updates and certificates, and then allows the support computer access to the plant. (For more detailed information, see "Configuration overview" below). 2. The support employee must then connect to the network through an access point (C) assigned to him or her by the plant personnel.
Figure 7-16 Support dial - up hub
3. Although the support computer (A) is now connected to the ISA Server 2004 (B), as an unknown computer it has absolutely no permissions on the network and cannot access the plant. Only after the administrator has provided the support computer with the dial-up file can the actual support dial-up begin. The administrator can supply the dial-up file to the support employee on a floppy or CD, or make it available in a shared folder on the ISA server.
7-28
Secure Network Access to Security Cells 4. Once the support employee has run the dial-up file, (s)he simply needs to enter his or her user name and password, which (s)he will have received from Production-Admin, for authentication purposes. This information must be specified by the administrator when configuring the ISA server VPN dial-up (see VPN Configuration). An encrypted VPN connection (D) to the ISA server is now established (see Figure 7-17).
Figure 7-17 Support dial - up VPN tunnel
5. ISA Server 2004 detects the new VPN connection and, based on its firewall rules (see Quarantine Configuration) and notices that it involves a support dial-up due to the IP address and user name. The ISA Server 2004 assigns the support computer an IP address on the quarantine network (E) (see Figure 7-18).
Figure 7-18 Support dial - up quarantine network
7-29
Secure Network Access to Security Cells 6. Once the support computer is on the quarantine network, it begins its check. Depending on the requirements of the plant, it might check if: A virus scanner is activated The support computer is free of viruses A firewall is active All the latest updates and patches have been installed
Any missing components and patches may be installed or activated from the SUS/Quarantine Control server (F). If the plant is working with IPSec, a certificate may be requested and installed from the certification authority. The computer has no access to the plant during this entire procedure. 7. Only once all checks have been completed successfully does the dial-up file inform the ISA Server 2004 of this and the ISA Server 2004 allow the support computer full access to the plant (G).
Figure 7-19 Support connection plant access
Note
Only the connection to the support hub is a real, physical connection. All other connections (Figure 7-17 Support dial-up VPN tunnel to Figure 7-19 Support dial-up plant access) are emulated as "virtual" connections by ISA Server 2004. This means that the support computer is given permissions by the policies and rules as if it were a subscriber to these networks.
7-30
Configuration overview
The configuration of the support dial-up is divided into three main parts: VPN configuration Quarantine configuration Creation of a Connection Manager profile This is the dial-up file that establishes the connection from the VPN client (support computer) to the dial-up computer (ISA Server 2004) and checks the VPN client. The basic steps involved in this configuration are explained in the following section based on the example above. The general settings for ISA Server 2004 are not described here.
VPN configuration
Proceed as described in Figure 7-20 to configure VPN remote dial-up. The numbering of the sections below corresponds to the individual steps. Click the respective links to perform the configuration tasks.
Figure 7-20 VPN configuration overview
7-31
Secure Network Access to Security Cells 1. Verify that VPN client access is enabled (Step 1):
Figure 7-21 VPN maximum connections
For the ISA Server to accept VPN client connections, the "Enable VPN client access" box must be checked. Specify the maximum number of simultaneous connections in the "Maximum number of VPN clients allowed edit box. Enter a value of 10 here to allow ten clients simultaneous access.
7-32
Secure Network Access to Security Cells 2. Specify Windows users (Step 2): ISA Server 2004 expects information about the users or group of users that are allowed to establish VPN connections with the ISA server. It does not matter whether this is a local group or a group from the domain. Enter a local group called "VPN Support Dial-up" in the Windows User Management. Add all users who are permitted to access the plant through the support dial-up to this group. It is best to create dedicated support users for this purpose.
Figure 7-22 VPN support employee group 1
7-33
Secure Network Access to Security Cells Now add this group on the "Groups" tab of the VPN Clients Properties dialog box.
Figure 7-23 VPN support employee group 2
7-34
Secure Network Access to Security Cells 3. Verify the VPN properties (Step 3.1): In the "Protocols" tab, select the tunneling protocol for which ISA Server 2004 is to accept connections. Select the default tunneling protocol "Enable PPTP". Although it offers somewhat less security than a connection via IPSec, it does not require its own certificate for the connection. PPTP is fully sufficient for the support dial-up.
Figure 7-24 VPN protocols
7-35
Secure Network Access to Security Cells 4. Verify remote access configuration (Step 3.2): VPN access can take place from several networks. However, as support employees only have access to the plant through specific dial-up points, only one network, i.e., the support network including all dial-up points for support employees, is required. If VPN connections from other networks are added later, for example, support dial-up via the Internet, they also have to be specified here.
Figure 7-25 VPN access networks
Specify how the VPN clients receive their IP address in the "Address Assignment" tab. This can be through a static address pool or through a DHCP server. The "Use the following network to obtain DHCP, DNS and WINS services" option specifies which DNS server and WINS server is assigned to the VPN client.
7-36
Secure Network Access to Security Cells Select "Static address pool" and click "Add". Enter the address range 192.168.68.90 to 192.168.68.100. The number of addresses in the range must exceed the number of simultaneous connections assigned by at least one. For DHCP, DNS, and WINS services, use the MES network where the access computer for the VPN clients is located.
Figure 7-26 VPN address assignment
These settings could also be configured manually by clicking the "Advanced" button (see small image), but it is not necessary here.
7-37
Secure Network Access to Security Cells To establish the connection, an authentication method to be used to authenticate the support employee must be specified. It makes sense here to accept the MS-CHAPv2 authentication method, since this is the most secure of the available methods for authenticating with user name and password.
Figure 7-27 VPN authentication
Steps 4 and 5 in Figure 7-20, configuring the firewall rules for the VPN clients and configuring the network rules, are dealt with at the end of the quarantine configuration together with the required settings.
Quarantine configuration overview

Quarantine configuration is divided into the following steps: Installing the Windows 2003 Resource Kit Configuring the script for RQS service Starting the script for RQS service Setting up the firewall rules
7-38
Installing the Windows 2003 Resource Kit and update

To configure "Network Access Quarantine Control", the following tools and updates must first be installed: Windows 2003 Resource Kit Windows 2003 Resource Kit RQS Update Microsoft RQSUtils
The two notification components, RQS.exe and RQC.exe, are required from the Windows 2003 Resource Kit and the update. They are used by the VPN client to inform the dial-up computer that the former has successfully completed its check. RQS.exe is a listener component that runs on the dial-up computer. It waits for notification from the VPN client. RQC.exe is its counterpart, and sends the notification to the dial-up computer. The syntax is as follows: rqc connection name Tunnel name Domain User name Authentication string After installing the resource kit and update, install the RQSUtils. Follow the dialog boxes and specify an installation path.
Figure 7-28 Quarantine RQSUtil install
Figure 7-29 Quarantine RQSUtil path

7-39
Starting the script for the RQS service

Now start the script with the following parameters: cscript ConfigureRQSForISA.vbs /install AllowedSet RqsToolsPath AllowedSet is a string that must be sent by RQC.exe to identify itself to RQS.exe and to tell it that the check has been completed successfully. Use "\0" to separate several strings (e.g. EverythingOK1\0EverythingOK2). RqsToolsPath is the path to the RQS Tools without specification of a file name.
Example: cscript ConfigureRQSForISA.vbs /install AllOK1 "c:\Program Files\Windows Resource Kit\Tools"
Figure 7-30 ConfigureRQSForISA.vbs parameters
7-40
Figure 7-31 ConfigureRQSForISA.vbs completed successfully
Creating the firewall rules

When the script has finished successfully, open ISA Management Console to make the required firewall rules. A "Network Quarantine (RQS) rule has already been created by the ConfigureRQSForISA.vbs script. Creating the VPN Clients completes Items 4 and 5 from the VPN Configuration. Now create two new rules with the following content (see Figure 7-33): FROM: "VPN clients" TO: "Internal", "Internal SECERP", "Internal SECMES", "Internal SECControl" PROTOCOL: All Outbound Traffic ALLOW: Support Employee Group FROM: "Quarantine VPN Clients" TO: "SUS/Quarantine Control Server" PROTOCOL: All Outbound Traffic ALLOW: Support Employee Group
Figure 7-32 Quarantine firewall rules
7-41
Secure Network Access to Security Cells Now open Configuration/Networks in the ISA Management Console and select the "Networks" tab. Select Quarantined VPN clients, right-click the object and select Properties from the context menu. In the "Quarantine" tab, check the Enable quarantine control box and select "Quarantine according to ISA Server policies".
Figure 7-33 Enable quarantine
This completes the configuration of VPN quarantine dial-up.
7-42
Creating a Connection Manager profile

The creation of the Connection Manager Administration Kit is divided into two steps: Installing the Connection Manager Administration Kit Creating a Connection Manager profile
Now use the Connection Manager Administration Kit on ISA Server 2004 to create a Connection Manager profile and the dial-up file that is used by a VPN client to establish a connection to the dial-up computer and that allows the VPN client to be checked.
Installing the Connection Manager Administration Kit

Start by installing the Connection Manager Administration Kit. Click Start > Settings > Control Panel > Software, select "Add/Remove Windows Components" and then select the "Connection Manager Administration Kit" in the "Management and Monitoring Tools" submenu.
Figure 7-34 Connection Manager Administration Kit
7-43
Creating a Connection Manager profile

Once the installation is complete, use the Connection Manager Administration Kit Wizard to create a profile. The following figures illustrate some of the dialog boxes that are displayed during this process. In all other dialog boxes, click "Next" without making any changes.
Figure 7-35 CMAK Wizard
7-44
Secure Network Access to Security Cells Check the "Phone book from this profile" box and enter the IP address of ISA Server 2004.
Figure 7-36 CMAK phone book
7-45
Secure Network Access to Security Cells Uncheck the "Automatically download phone book updates" box.
Figure 7-37 CMAK phone book download
7-46
Secure Network Access to Security Cells Enter a name for the profile to be displayed later in "My Network Places/Connections" on the VPN client. Enter a name for the dial-up file to be generated.
Figure 7-38 CMAK service and file names
The most important component - the quarantine script - appears. As discussed above, it is the core of VPN quarantine dial-up. The Production Administrator can use it to perform all actions (s)he deems necessary to check the support computer.
7-47
Secure Network Access to Security Cells Select "Post-connect" from the "Action type" drop-down list box. This script will be executed once the VPN client is on the quarantine network. Once the script has successfully performed all actions, it uses RQC.exe to send a string (see ConfigureRQSForISA.vbs) to the dial-up computer, enabling it to take the VPN client out of quarantine and add it to the plant network.
Figure 7-39 CMAK quarantine script
7-48
Secure Network Access to Security Cells Example script: The following is an example script published by Microsoft that has been changed slightly. This script does not have its own check function, it only serves as a basic framework. It can be modified as needed to execute any desired actions. The script syntax is as follows:
script.bat %DialRasEntry% %TunnelRasEntry% %Domain% %UserName% %DialRasEntry% becomes %1 %TunnelRasEntry% becomes %2 %Domain% becomes %3 %UserName% becomes %4 @echo off echo RAS Connection = %1 echo Tunnel Connection = %2 echo Domain = %3 echo User Name = %4 set MYSTATUS= REM REM Network Policy Check REM REM Checks if ICF is enabled REM Sets ICFCHECK to 1 (pass). REM Sets ICFCHECK to 2 (fail). REM Checks for installed virus scanner REM Sets VIRCHECK to 1 (pass). REM Sets VIRCHECK to 2 (fail). REM Rqc.exe is run based on the results REM if "%ICFCHECK%" == "2" goto :TESTFAIL if "%VIRCHECK%" == "2" goto :TESTFAIL rqc.exe %1 %2 7250 %3 %4 Version1 REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM 7250 is the TCP port where Rqs.exe sets a listener REM %3 = %Domain% REM %4 = %UserName% REM Version1 is the authentication string REM
7-49

REM Status output REM if "%ERRORLEVEL%" == "0" ( set MYERRMSG=Success! ) else if "%ERRORLEVEL%" == "1" ( set MYERRMSG=No access possible. Quarantine control may be disabled ) else if "%ERRORLEVEL%" == "2" ( set MYERRMSG=Access denied. Install the CMAK profile from the company network. ) else ( set MYERRMSG=Unknown error, client remains in quarantine mode) echo %MYERRMSG% goto :EOF :TESTFAIL echo echo This computer does not meet the requirements of the IT TRAINING Security Policy echo GROTE. Contact your administrator to correct this and gain access to the echo company resources :EOF
7-50
Secure Network Access to Security Cells You can include other files in the profile in the final dialog box. Since the script needs RQC.exe to notify the dial-up computer that the check has been completed successfully, this file MUST be added (you can find it in the Windows 2003 Resource Kit directory). All other files required by your script must also be added.
Figure 7-40 CMAK file attachment
7-51
Secure Network Access to Security Cells Once you have finished, you will find a folder with the name of your profile in the Program Files\cmak\Profiles directory. All of the utilized files are stored there. The client only needs the EXE file and the additional file attachments. Now, when the EXE file is executed on the support computer, a connection to the dial-up computer will be established and the client added to the quarantine network, checked and given access to the plant.
Figure 7-41 CMAK profile

Single-user system The description above is not applicable to a single-user system. The support employee would simply work directly on the PC in a single-user system. Multi-user system The description above can be applied without restriction in a multi-user system. A stand-alone ISA Server 2004 can be used as the dial-up computer. Alternatively, an access point, e.g., to the Internet, can fulfill this function if ISA Server 2004 is installed on it.
Large system Large systems are considered under the same terms as multi-user systems. The function of the dial-up computer can be fulfilled by a firewall between the networks (ERP layer, MES layer, control layer), provided the firewall is an ISA Server 2004, or by a stand-alone ISA Server 2004.
7-52
7.5
7.5.1
Requesting and Installing Certificates

How to Install a Stand-Alone Root Certification Authority
This chapter describes how to install a stand-alone root certification authority on the SUS-CA server on the MES layer.
General information
Certification authority type: Stand-alone root certification authority General name of the certification authority: Plant CA.
Procedure
The installation procedure is also described in the Microsoft "Help and Support Center" for Windows Server 2003 at the following link: How to Install a Stand-Alone Root Certification Authority 1. Log onto the system as an Administrator, or if you have the Active Directory service, log onto the system as a Domain Administrator. 2. Select the menu command Start > Settings > Control Panel. 3. Double-click "Add or Remove Programs" and then "Add/Remove Windows Components". 4. In the Windows Components Wizard, check the "Update Root Certificates" box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after the installation of Certificate Services. Click "Yes" and then "Next". 5. Click "Stand-alone: root CA". 6. Enter the general name of the certification authority. This information cannot be changed once the certification authority has been installed. 7. In "Validity period", specify the validity duration for the root certification authority. See the note below for items to consider when setting this value. Click "Next". 8. Specify the storage locations for the certificate database, the certificate database log and the shared folder. Click "Next". 9. If Internet Information Services (IIS) is running, you will be prompted to stop it before proceeding with the installation. Click "OK". 10. If prompted, enter the path to the Certificate Services installation files.
7-53
Secure Network Access to Security Cells 11. Check the certification authority in the following MMC:
Figure 7-42 Checking the certification authority certificate
7-54
Secure Network Access to Security Cells 12. In the IIS (Internet Information Services), ensure that the "Enable session state" box is checked in the properties for the application configuration of the Web site where the certificate server service is to be executed. http://support.microsoft.com/default.aspx?scid=kb;en-us;840690 Click "Start > Programs > Administration Tools > Internet Information Services Manager". Right-click the Web site where the certificate server service is running, and then select "Properties". Click the "Home Directory" tab, and then under "Application Settings", click "Configuration". Click the "App Options" tab in the "Application Configuration" dialog box, and then check the "Enable session state" box. Restart Microsoft Internet Information Services (IIS).
7-55
7.5.2
Downloading a Certification Authority Certificate

On a PC with a Windows Server 2003 installation you will find information about downloading a certification authority certificate in the Microsoft Help and Support Center under the following search term: Retrieving a certification authority certificate
Procedure
1. Open Internet Explorer. 2. Enter the path "http://sus-ca/certsrv" as the "Address". "Servername" is the name of the Web server under Windows Server 2003 where the corresponding certification authority is located. 3. Click "Download CA certificate, certificate chain or CRL" and then "Next". 4. If you want to trust all the certificates issued by this certification authority, click "Install this CA certificate chain". 5. Once you have finished using the Certificate Services Web pages, close Internet Explorer. Check the installation of the certification authority certificate using the "Certificates (Local Computer)" and "Certificates Current User" snap-ins in the Microsoft Management Console (MMC). The certification authority certificate should be listed for the current user as well as the local computer under the Trusted Root Certification Authorities. If this is not the case, cut the certification authority certificate from the Trusted Root Certification Authorities for the current user and paste it to the same location for the local computer.
Figure 7-43 Certificate download
7-56
7.5.3
Requesting a Local Computer Certificate for IPSec

A local computer certificate from the certification authority must be installed on each plant PC. These Installation Instructions are published by Microsoft under article number 253498: Install a Certificate for Use with IP Security The local computer certificate is requested via HTTP. Because a local computer certificate must be used with IPSec, you must submit an advanced request to the CA indicating this.
Installing a local computer certificate from a stand-alone Windows certification authority

1. The request is a Web address that contains the IP address or name of the Certificate server, with "/certsrv" appended. In your Web browser, type the following Web address: http://192.168.125.53/certsrv where "IP address" or "certification authority" represents the IP address or name of the Certificate server. 2. In the initial Welcome screen of the Certificate server, click "Request a certificate. 3. In the "Choose Request Type" screen, click "Advanced request". 4. In the "Advanced Certificate Request" screen, click "Submit a certificate request to this CA using a form". 5. In the "Advanced Certificate Request" screen, type your name and your e-mail name in the appropriate boxes. 6. Under "Intended Purpose", select "Client Authentication Certificate" or "Server Authentication Certificate" but not "IPSec Certificate". 7. Under Key Options select: Leave the "Create new key set" option checked Cryptographic provider: Key Usage: Key Size: "Both" "1024" "Microsoft Base Cryptographic Provider v1.0"
Select the "Mark keys as exportable" check box Select the "Use local machine store" check box
8. Leave all the other options set to the default value unless you need to make a specific change. 9. Click "Submit". 10. If the Certification Authority is configured to issue certificates automatically, the "Certificate Issued" screen should appear. Click "Install this Certificate". The "Certificate Installed" screen should appear with the message "Your new certificate has been successfully installed". 11. If the certification authority is not configured to issue certificates automatically, a "Certificate Pending" screen appears, requesting that you wait for an administrator to issue the certificate that was requested. To retrieve a certificate that an administrator has issued, return to the Web address and click "Check on a pending certificate". Click the requested certificate, and then click "Next". If the certificate is still pending, the "Certificate Pending" screen appears. If the certificate has been issued, the "Install this Certificate" screen appears.
7-57
Checking the installation of the local computer certificate

Once you have installed the certificate, verify the location of the certificate using the Certificate (Local Computer) snap-in in Microsoft Management Console (MMC). Your certificate should appear under Personal.
Figure 7-44 Unique computer certificate
If the certificate you have installed does not appear here, it has either been installed as a "User certificate request", or you did not select "Use local machine store" within the advanced request.
7-58
7.5.4
Setting Up SSL on a Web Server

Microsofts instructions for setting up SSL are available via the following link: http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp Procedure: How to set up SSL on a Web server
Summary
Secure Sockets Layer (SSL) is a collection of encryption methods that provide authentication, trust verification and data integrity. SSL is the method most often used between Web browsers and Web servers to establish a secure communication channel. SSL can also be used for secure communication processes between client applications and Web services. A Web server must be configured with an SSL certificate in order to support SSL communication processes. The following sections describe how to request an SSL certificate and how to configure Microsoft Internet Information Services (IIS) to provide support for secure communication processes with Web browsers and other types of client application that use SSL.
7.5.4.1
Creating a Certificate Request

Proceed as described below to create a new certificate request, which can be sent to a certification authority (CA) for processing. Once the request has been processed, the certification authority returns a file containing the verified certificate.
Procedure
1. Start the "IIS-MMC" (Microsoft Management Console) snap-in. 2. Expand the node with the name of your Web server and select the "WebNavigator" Web site. 3. Right-click the Web site and select "Properties". 4. Click the "Directory Security" tab. 5. Under "Secure communications", click the "Server Certificate" button to start the Web Server Certificate Wizard. Note: If the "Server Certificate" button is not available, you have probably selected a virtual directory, a directory or a file. Repeat Step 2 and select a Web site. 6. Click "Next" to close the "Welcome" dialog box. 7. Click "Create a new certificate" and then click "Next". 8. The dialog box displayed now contains the following two options: "Prepare the request now, but send it later" This option is always available. "Send the request immediately to an online certification authority". This option is only available when the Web Server has access to one or more Microsoft certificate servers in a Windows 2000 domain, which are configured to issue Web server certificates. At a later point in the request procedure you will have the opportunity to select a certification authority to which you wish to send your request from a list.
Click "Prepare the request now, but send it later" and then "Next".
7-59
Secure Network Access to Security Cells 9. Enter a meaningful name for the certificate in the "Name" field, for example "WebNavigator". Now enter 1024 as the bit length of the key in the "Bit length" field and click "Next". The Wizard uses the name of your current Web site as the default name. This is not used in the certificate, but serves as the displayed name to help orient administrators. 10. Type your organization name (e.g., Plant) in the "Organization" field and the organizational unit (e.g., Laboratory) in the "Organizational unit" field, and click "Next". Note: This information is entered into the certification request; check it carefully to ensure it is correct. The certification authority checks this information and enters it into the certificate. Visitors to your Web site might wish to display this information and decide if they want to accept this certificate. 11. Enter a common name for the site in the "Common Name (CN)" field and then click "Next". "Important": The common name is one of the critical pieces of information to be entered in the certificate. It is the DNS name of the Web site (i.e., the name that the user enters when he wants to visit your site). If the certificate name does not match the site name, a problem with the certificate is reported when users visit the site. If the site is located on the Web and its name is "http://www.plant.com", you should enter this as the common name. If the site is an intranet site and users select it based on the computer name, enter the NetBIOS or DNS name of the computer, in this example: "WinCCWebServer01.laboratory.plant.com". 12. Enter a common name for the site in the "Common Name (CN)" field and then click "Next". 13. Enter the relevant information in the "Country/Region", "State/Province" and "City" fields and click "Next". Enter a file name for the certificate request. The file contains information such as:
-----BEGIN NEW CERTIFICATE REQUEST----MIIDZjCCAs8CAQAwgYoxNjA0BgNVBAMTLW1penJvY2tsYXB0b3Aubm9ydGhhbWVy... -----END NEW CERTIFICATE REQUEST-----
This is a Base64-coded representation of your certificate request. The request contains the information entered in the Wizard as well as your public key. It also contains information that is signed by the private key. The request file is sent to the certification authority. The certification authority then uses the public key information from the certificate request to verify the information signed with the private key. The certification authority also checks the information sent with the request. Once you have sent the request to the certification authority, the certification authority sends back a file containing the certificate. Start the Web Server Certificate Wizard again. 14. Click "Next". The Wizard now shows a summary of the information contained in the certificate request. 15. Click "Next" and then "Finish" to complete the request process. The certificate request can now be sent to the certification authority for analysis and processing. Once you have received a response, you can continue and, using the IIS Certificate Wizard again, install the certificate contained in the response on the Web server.
7-60
7.5.4.2
Submitting a Certificate Request

The procedure described involves using the Microsoft Certificate Services to submit a certificate request created by following the procedure described above.
Procedure
1. Open the certificate file you created in the previous procedure in Notepad and copy its entire content to the clipboard. 2. Open Internet Explorer and navigate to "http://SUS-CA/CertSrv", where SUS-CA is the name of the computer on which Microsoft Certificate Services is to run. 3. Click "Request a Certificate". 4. On the "Request a Certificate" page, click "Advanced Request". 5. On the "Advanced Request" page, select "Submit a certificate request using a base64-encoded CMC or PKCS #10 file, or a renewal request using a base64-encoded PKCS #7 file". 6. On the "Submit Certificate or Renewal Request" page, click the text field for the Base64-coded certificate request (PKCS #10 or #7). Now press "CTRL+V" to paste the certificate request you copied to the clipboard. 7. Click "Submit". 8. Close Internet Explorer.
7.5.4.3
Procedure
Issuing a Certificate
1. Start the "Certification Authority" utility by selecting "Administration Tools" under Programs. 2. Expand your Certification Authority and select the Pending Requests folder. 3. Select the certification request you just submitted. 4. Select the menu command Action > All Tasks and click "Issue". 5. Check that the certificate is appearing in the "Issued certificates" folder and double-click to display it. 6. In the "Details" tab, click "Copy to file" and save the certificate as a base64-coded X.509 certificate. 7. Close the properties window of the certificate. 8. Close the "Certification Authority" utility.
7-61
7.5.4.4
Installing the Certificate on the Web Server

Once you have issued the certificate, proceed as follows to install it on the Web server.
Procedure
1. Start Internet Information Services if it is not already running. 2. Expand the node with the name of your server and select the "WebNavigator" Web site. 3. Right-click the Web site and select "Properties". 4. Click the "Directory Security" tab. 5. Click "Server Certificate" to start the Web Server Certificate Wizard. 6. Click "Process the pending request and install the certificate" and then "Next". 7. Type the location and name of the file containing the response from the certification authority and then click Next. 8. Make sure that 443 is entered as the SSL port and click "Next". 9. Verify that the information is correct in the certificate overview, then click "Next" and "Finish". The certificate is now installed on the Web server.
7.5.4.5
Configuring Resources to Request SSL Access

Proceed as follows to configure the "WebNavigator" page to request SSL for access. Web clients must use the HTTPS protocol to access the WebNavigator.
Procedure
1. Start Internet Information Services if it is not already running. 2. Expand the name of your server and the "WebNavigator" Web site. 3. Click the "Directory Security" tab. 4. Click "Edit" under "Secure Communication". 5. Click "Require secure channel (SSL)". Web clients that wish to access the Web site must now use HTTPS. 6. Click "OK" and then click "OK" again to close the "Properties" dialog box. 7. Close Internet Information Services.
7-62
8
8.1
Concluding remarks
Residual Risks
Comprehensive protection for your plant can be assured if you implement without exception all of the principles described in the previous sections. This will eliminate all known security vulnerabilities and threats. However, there is always a risk of unforeseen events and threats arising. Hardware can fail or malfunction Software can malfunction New and as yet unknown viruses can infiltrate the plant
8.2
Additional Measures
Residual risks cannot be entirely avoided. To guard against problems arising from these residual risks or to enable you to locate and overcome such problems quickly, we recommend that you monitor all hardware and software extensively. "Production Admin" should employ the following methods and tools as part of this monitoring effort: Monitoring of all plant PCs and hardware using special programs such as WinCC Scope or APDiag, see: WinCC Information System Planning logical monitoring policies and evaluating the logs created as a result
8-1
Concluding remarks
8-2
References
/1/ /2/ /3/ /4/ /5/ BSI IT Baseline Security Manual FDA 21 CFR 11; http://www.gmppublications.com NAMUR Worksheet; http://www.namur.de NA 67 "Information Protection for Process Control Systems (PCS)" NAMUR Worksheet; http://www.namur.de NA 103 "Use of Internet Technology in Process Automation" ISA TR99.00.01-2004 "Security Technologies for Manufacturing and Control Systems, dated March 11, 2004 Online Help WinCC V6.0 SP4 Release Notes Online Help WinCC Web Navigator V6.1 SP1 Release Notes Windows Server 2003 Security Guide: http://www.microsoft.com/... Windows XP Security Guide: http://www.microsoft.com/... Threats and Countermeasures Guide (companion guide): Security settings available in Windows Server 2003 and Windows XP: http://www.microsoft.com/... Microsoft Initiative "Strategic Technology Protection Program" (STPP): http://www.microsoft.com/smserver/evaluation/overview/secure.mspx Microsoft Windows Server 2003 Server Resource Kit Microsoft Windows XP Resource Kit Microsoft Windows 2000 Security Resource Kit Trend Micro OfficeScan 7 Installation and Deployment Guide Trend Micro OfficeScan 7 Administrators Guide
/6/ /7/ /9/ /10/ /11/ /12/ /13/ /14/ /15/ /16/ /17/
9-1
References
9-2
10
Meaning of the Symbols Used

The following table provides an overview of the symbols used in this document.
Symbol Meaning ERP plant segment (e.g., accounting)
MES plant segment (e.g., quality control) Physical access control (e.g., guards, security services)
Control system plant segment (e.g., production shop)
Ethernet bus system in a plant Red - bus in the ERP system Yellow - bus in the MES system Green - terminal bus Blue - plant bus
PC station single-user system (application described in graphic)
Client PC station (application described in graphic)
Server station (application described in graphic)
Service, office PC or external PC that may be able to access the visualization system or associated data via a special application (application described in graphic) WinCC single-user system
WinCC client (operator control and monitoring station)
10-1

Symbol Meaning WinCC Web client
WinCC server
WinCC long-term archive server
Office PC (EXCEL, WORD) or OPC client on MES or ERP layer
Operating system server (domain server, domain controller)
SUS Software Update Server
SIMATIC IT client
SIMATIC IT server
A WinCC database is installed on the PC (for user data or archive data). A WinCC archive database is installed on the PC (for user data or archive data). A database for updates and backups is installed on the PC.
A SIMATIC IT database is installed on the PC (for user data or archive data). Storage group for ERP systems
A SIMATIC BATCH application is installed on the PC.
10-2

Symbol Meaning A SIMATIC IT application is installed on the PC.
A WEB application is installed on the PC.
A WinCC native application is installed on the PC. User
Group
The group or this user is a member of a global group in the domain or is a domain user. (Different groups). Indicates that Active Directory is running on the domain controller. Folder
Organization units
Local policy
Local groups of a PC station Switch
Router Firewall
Receiver for a time signal
The PC station has access to the Internet
10-3
10-4
Glossary
3DES
Source: Microsoft Help and Support Center Windows Server 2003 See definition for 3DES
3DES
An implementation of DES (Data Encryption Standard) that uses three cryptographic iterations in each data block. Because a 56-bit key is used in each iteration, this results in 168-bit encryption of the data. Although 3DES is slower in performance due to the additional cryptographic calculations, it is much more secure than DES.
Access Control
Source: Microsoft Help and Support Center Windows Server 2003 Access Control is a security mechanism that determines which actions can be carried out by a user, group, service, or computer for a computer or a specific object such as a file, a printer, a registry subkey or a directory services object.
Account
Access permission for an explicit person on a network A user name and password are usually part of an account.
Active Directory
Source: Microsoft Help and Support Center Windows Server 2003 A Windows-based directory service. Active Directory stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. See also: Domain
Address
Source: Microsoft Help and Support Center Windows Server 2003 A unique identifier used by a network node to identify itself to other nodes on the network. It is also referred to as the "network address" or "MAC address".
Glossar-1
Glossary
Administrator
Source: Microsoft Help and Support Center Windows Server 2003 In the Windows Server 2003 product family, an administrator is a person who is responsible for installing and managing local computers, stand-alone servers, member servers or domain controllers. An administrator sets up user and group accounts, assigns passwords and permissions and helps users who have network problems. Administrators can be members of the Administrator group on local computers or servers. A person who is a member of the Administrator group on a local computer or server has full access rights to the computer or server and can assign users access rights as needed. Administrators can also be members of the Domain Admins on domain controllers. In this case they have full control rights for users and computer accounts in the domains. See also: Domain, User account, Domain controller, Access control
AS
See definition for Automation system (AS).
Authentication
Source: Microsoft Help and Support Center Windows Server 2003 Authentication is the process for verifying that an entity or object is who or what it claims to be. Examples include confirming the source and integrity of information by verifying a digital signature or verifying the identity of a user or computer.
Authentication protocol
Source: Microsoft Help and Support Center Windows Server 2003 The protocol that an entity on a network uses to prove its identity to a remote entity. The identity is typically proven by a secret key such as a password or with a key that is even more secure such as a Smart card. Some authentication protocols implement procedures for the shared use of keys between client and server in order to ensure message integrity or data protection.
Authorization
Authorization is the process of granting a user on a computer system or network permission to perform certain actions. See also: Authentication
Automatic Updates (AU)

AU is a service that is executed on AU clients. It enables Windows updates to be downloaded and installed. If this service is disabled, neither the automatic update function nor the Windows Update Web site can be used. See also: Software Update Service (SUS)
Glossar-2
Glossary
Automation system (AS)

An automation system is a programmable logic controller (PLC). Note: The SIMATIC WinCC visualization system has been optimized for operation with SIMATIC S7-300 and S7-400 PLCs.
Building
Source: BSI Baseline Security Manual Chapter 4.1 Buildings surround the installed information technology and thereby ensure its outer protection. The infrastructure facilities of a Building are also a necessary requirement for IT operation. Therefore, the building structure, such as walls, ceilings, floors, roof, windows, and doors must be taken into consideration, along with all building-wide utilities such as electricity, water, gas, heating, letter shoots, etc.
Central archive server

See definition for Long-term archive server
Central clock
The following central clocks are suitable for synchronizing a plant with an exact time of day: GPS - Global Positioning System Global satellite system for computing exact positions on the earth. The satellites transmit a time signal. DCF77 - Radio signal from a time code transmitter in Frankfurt/Mainflingen (Federal Republic of Germany). The radio signal can be received with sufficient signal strength in many parts of Europe. Time servers publicly available and recognized on the Internet (e.g., time.nist.gov.) Plant-specific, locally restricted clock
Certificate
Source: Microsoft Help and Support Center Windows Server 2003 A digital document that is commonly used for authentication and secure exchange of information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. See also: Certification Authority (CA)
Glossar-3
Glossary
Certificate Service
Source: Microsoft Help and Support Center Windows Server 2003 A software service that issues certificates for a particular certification authority. It provides customizable services for issuing and managing certificates for the organization. Certificates can be used to provide authentication support. This includes secure e-mail, web-based authentication and Smart Card authentication. See also: Authentication, Service, Internet Authentication Service (IAS), Certificate, Certification Authority (CA)
Certification Authority (CA)

Source: Microsoft Help and Support Center Windows Server 2003 An organization responsible for establishing and vouching for the authenticity of public keys belonging to requesters (usually users or computers) or other certification authorities. The activities of a Certification Authority can include binding public keys to unique names through signed certificates, managing certificate serial numbers and certificate revocation. See also: Certificate; Root Certification Authority
Class A IP address
Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address between 1.0.0.1 and 127.255.255.254. The first octet indicates the network, and the last three octets indicate the host on the network. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR).
Class B IP address
Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address between 128.0.0.1 and 191.255.255.254. The first two octets indicate the network, and the last two octets indicate the host on the network. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR).
Class C IP address
Source: Microsoft Help and Support Center Windows Server 2003 A unicast IP address between 192.0.0.1 and 223.255.255.254. The first three octets indicate the network, and the last octet indicates the host on the network. Network Load Balancing provides optional session support for Class C IP addresses (in addition to support for single IP addresses) to accommodate client-side use of multiple proxy servers. Class-based IP addressing has been replaced by Classless Interdomain Routing (CIDR).
Glossar-4
Glossary
Client
Source: Microsoft Help and Support Center Windows Server 2003 Any computer or program connecting to, or requesting the services of, another computer or program. A client can also refer to the software that a computer or program can use to establish the connection. On a local area network (LAN) or the Internet, a client is a computer that accesses shared network resources provided by another computer (called a server).
Closed system
Source: FDA 21 CFR 11 A closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
Control layer
The name of the bottom layer of the automation pyramid. (Top: ERP - Middle: MES - Bottom: Control layer) Typical systems used in this area of the automation hierarchy, which is close to the process, are operator control and monitoring systems such as SIMATIC WinCC (SCADA = Supervisory Control and Data Acquisition), PLCs such as SIMATIC S7-300 and S7-400 (PLC = Programmable Logic Controller), drives, sensors, etc.
Control system
All of the automation systems and SCADA systems available on the control layer.
Data Encryption Standard (DES)

Source: Microsoft Help and Support Center Windows Server 2003 An encryption algorithm that uses a 56-bit key and maps a 64-bit input block to a 64-bit output block. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for odd parity, resulting in 56 bits of usable key.
Data integrity
Source: Microsoft Help and Support Center Windows Server 2003 A property of secure communication by means of which a computer can verify that data has not been altered or corrupted during transmission from the source. Data protected by IPSec (Internet Protocol Security), for example, are assigned a cryptographic checksum that uses a secret key known only to the communicating IPSec peers. An intermediate node can change the data, but without knowing the secret key it cannot correctly recalculate the cryptographic checksum.
Glossar-5
Glossary
Delegation
Source: Microsoft Help and Support Center Windows Server 2003 The assignment of responsibility for management and administration tasks to a user, computer, group, or organization. For Active Directory, the assignment of responsibility in such a way that users can perform certain administration tasks or manage certain directory objects without administrative logon information. Responsibility is assigned by means of membership of a security group, the wizard for assigning object management, or Group Policy settings. For DNS, the assignment of responsibility for a DNS zone. Delegation occurs when a resource record of a name server (NS) in a parent zone lists the DNS server authoritative for the delegated zone. See also: ActiveDirectory, DNS (Domain Name System), DNS server, Group Policies, Security group, Zone
Demilitarized zone (DMZ)

Abbreviated as DMZ. In telecommunications, refers to a computer, router or small network that is set up as a "neutral zone" between a company's internal network and the "external" public network. This is designed to prevent outside users directly accessing a server containing company data. Another term often used for DMZ is "perimeter network.
Glossar-6
Glossary
Denial-of-Service Attacks (DoS Attacks)

(IT Glossary) Denial of service: A computer, e.g., a server, can no longer execute the requested IP service or it can no longer execute any useful function, or such executions become extremely slow due to one of the following reasons: The computer becomes overloaded by the processing of IP messages or other activities. The computer becomes inundated by a flood of mail (caused by hoaxes or viruses, for example) or is partially or completely put out of service by the triggering of existing and known bugs (such as the Lovsan/Blaster worm). The computer is partially or completely put out of service by the activation of known trapdoors of network services or programs (such as the Internet worm of 1988). Causes: Network-based attack using pings, e-mail or other IP messages, local sabotage
DES
Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Data Encryption Standard, DES
Desktop
Source: Microsoft Help and Support Center Windows Server 2003 The desktop is the on-screen work area in which windows, icons, menus, and dialog boxes appear.
Device
Source: Microsoft Help and Support Center Windows Server 2003 Any piece of equipment that can be attached to a network or computer, for example, a computer, printer, joystick, adapter or modem card, or any other peripheral equipment. Devices normally require a device driver to function with Windows. For Windows licensing, electronic devices such as computers, workstations, terminals, and handheld computers that can access or use the services of the Windows operating system, including file and printer sharing, remote access and authentication.
DHCP
Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Dynamic Host Configuration Protocol (DHCP)
DHCP server
Source: Microsoft Help and Support Center Windows Server 2003 A computer running the Microsoft DHCP service. This provides active DHCP clients with dynamic configuration of IP addresses and related information. See also: Dynamic Host Configuration Protocol (DHCP), IP address, DHCP service
Glossar-7
Glossary
DHCP service
Source: Microsoft Help and Support Center Windows Server 2003 A DHCP service is a service that enables a computer to function as a DHCP server and to configure DHCP-enabled clients on a network. DHCP runs on a server, enabling the automatic, centralized management of IP addresses and other TCP/IP configuration settings for network clients.
DMZ
See definition for: Demilitarized zone (DMZ)
DNS (Domain Name System)

Source: Microsoft Help and Support Center Windows Server 2003 A hierarchically distributed database containing assignments of DNS domain names to various data types, such as IP addresses. DNS allows computers and services to be found based on user-friendly names and also allows other information stored in the database to be found. See also: Service, IP address, Transmission Control Protocol/Internet Protocol (TCP/IP), Domain name
DNS client
Source: Microsoft Help and Support Center Windows Server 2003 A client computer that asks the DNS server to resolve domain names. DNS clients keep a temporary cache of known DNS domain names. See also: Client, DNS (Domain Name System), DNS server
DNS server
Source: Microsoft Help and Support Center Windows Server 2003 A server that administers information for part of the DNS database and responds to and resolves DNS queries. See also: DNS (Domain Name System), DNS client, Server
Domain
Source: Microsoft Help and Support Center Windows Server 2003 In Active Directory, a domain is a collection of computer, user and group objects defined by an administrator. These objects share a common domain database, security policies and trust relationships with other domains. In DNS, any structure or partial structure within the DNS namespace. Although the names of DNS domains and Active Directory domains are often the same, DNS domains should not be confused with Active Directory domains. See also: ActiveDirectory; DNS (Domain Name System)
Glossar-8
Glossary
Domain controller
Source: Microsoft Help and Support Center Windows Server 2003 A computer in a Windows domain environment, which runs Active Directory and manages user access to a network. Its responsibilities include logon management, authentication and access to directories and shared resources.
Domain name
Source: Microsoft Help and Support Center Windows Server 2003 The name given by an administrator to a group of networked computers that access a shared directory. Domain names are part of the DNS namespace tree and consist of a sequence of names separated by a period.
Dynamic Host Configuration Protocol (DHCP)

Source: Microsoft Help and Support Center Windows Server 2003 A TCP/IP service protocol that provides dynamically leased configuration of host IP addresses and, therefore, distributes meaningful configuration parameters to authorized network clients. DHCP supports secure, reliable and simple-to-use configuration of TCP/IP networks, prevents address conflicts and helps to conserve IP addresses on the network. DHCP uses a client/server model in which the DHCP server takes over central management of IP addresses used on the network. Clients with DHCP support can then request and obtain the lease of an IP address from a DHCP server when the network starts up.
EAP (Extensible Authentication Protocol)

Source: Microsoft Help and Support Center Windows Server 2003 See definition for: Extensible Authentication Protocol (EAP)
Encryption
The process of encoding data or messages so that content cannot be viewed.
ERP (Enterprise Resource Planning)

The name of the top layer of the automation pyramid. (Top: ERP - Middle: MES - Bottom: Control layer) Source: http://en.wikipedia.org/wiki/Enterprise_resource_planning ERP systems are designed to handle almost all business processes. Full integration and movement away from isolated solutions results in a recentralized system, in which resources can be managed throughout the enterprise. Typical areas in which ERP software is used: Materials management (procurement, warehousing, dispatching, assessment) Production
Glossar-9
Glossary Finances and accounting Controlling Human resources Research and development Sales and marketing Master data management
Since different branches of industry pose highly varying requirements for ERP systems, most major suppliers offer solutions that include specially designed packages for specific branches.
Extensible Authentication Protocol (EAP)

Source: Microsoft Help and Support Center Windows Server 2003 An extension of the point-to-point protocol (PPP) that permits arbitrary authentication mechanisms to be used to validate a PPP connection. See also: Point-to-Point Protocol (PPP)
FDA
Food & Drug Administration (FDA) (USA) The Food & Drug Administration (FDA) sets guidelines for the validation of processes and products. The most important, internationally applicable requirements for automation engineering (in regard to validation) are included in the GMP regulations 21 CFR Part 11.
Firewall
Source: Microsoft Help and Support Center Windows Server 2003 A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between computers on the network and external machines by routing communication via a proxy server outside the network. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a "security-edge gateway". See also: Proxy server
FQDN
See definition for: Fully Qualified Domain Name (FQDN)
Fully Qualified Domain Name (FQDN)

Source: Microsoft Help and Support Center Windows Server 2003 A DNS name that unambiguously indicates an absolute position in the domain namespace tree. Fully Qualified Domain Names differ from relative names in that they typically are stated with a trailing period (.) to qualify their position with reference to the root of the namespace (for example, host.example.microsoft.com.). See also: DNS (Domain Name System); Domain name
Glossar-10
Glossary
Group Policy
Source: Microsoft Help and Support Center Windows Server 2003 The Active Directory infrastructure, which enables the directory-based change and configuration management of users or computer settings, including security and user data. Group Policies can be used to define configurations for groups of users and computers. You can use Group Policies to make settings for registry-based policies, security, the installation of software, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings you make are stored in a Group Policy Object (GPO). You can assign a GPO to selected Active Directory system containers (for locations, domains and organizational units) in order to apply the Group Policy settings in the GPO to users and computers in these Active Directory containers. Use the Group Policy Editor to create individual GPOs. You can use the Group Policy Console to manage Group Policy objects throughout the company.
Host
Source: Microsoft Help and Support Center Windows Server 2003 A device in a TCP/IP network that has an IP (Internet Protocol) address. This includes servers, workstations, printers with a network interface, and routers. Sometimes it refers to a specific network computer that performs a service used by network or remote clients. For Network Load Balancing, a cluster consists of multiple hosts connected over a local area network (LAN). See also: Service, Transmission Control Protocol/Internet Protocol (TCP/IP), Server, Client, Local Area Network (LAN)
Host ID
Source: Microsoft Help and Support Center Windows Server 2003 The part of the IP address uniquely identifying a computer in a specific network ID. See also: IP address
Host name
Source: Microsoft Help and Support Center Windows Server 2003 The DNS name of a device on a network. This name is used to locate computers on the network. Before a computer can be located, its host name must be included in the host file or be known to a DNS server. On most computers running Windows, the host name and computer name are identical. See also: DNS (Domain Name System), DNS server, HTTP See definition for: Hypertext Transfer Protocol (HTTP)
HTTPS
See definition for: Secure Hypertext Transfer Protocol
Glossar-11
Glossary
Hypertext Transfer Protocol (HTTP)

The protocol used to transfer information on the World Wide Web. An HTTP address (a kind of Uniform Resource Locator [URL]) takes the form: http://www.microsoft.com/. See also: Protocol
IAS
See definition for: Internet Authentication Service (IAS)
Identity
Source: Microsoft Help and Support Center Windows Server 2003 A person or entity who or which must be verified by means of authentication based on criteria such as a password or certificate. See also: Authentication, Certificate
IIS
See definition for: Internet Information Services (IIS)
Internet Authentication Service (IAS)

Source: Microsoft Help and Support Center Windows Server 2003 The Microsoft implementation of a RADIUS (Remote Authentication Dial-In User Service) server and proxy, which provides authentication and account management for network access. See also: Authentication, Service, RAS service, Remote Authentication Dial-In User Service (RADIUS), Virtual Private Network (VPN), Certificate service
Internet Information Services (IIS)

Source: Microsoft Help and Support Center Windows Server 2003 Software services that support the creation, configuration and management of Web sites, along with other Internet functions. Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP).
Internet Protocol (IP)

A routable network protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing and the fragmentation and reassembly of IP packets. See also: Transmission Control Protocol/Internet Protocol (TCP/IP)
Glossar-12
Glossary
Internet Protocol Security (IPSec)

Source: Microsoft Help and Support Center Windows Server 2003 A set of industry-standard, cryptography-based protection services and security protocols. IPSec protects all protocols in the TCP/IP protocol suite and Internet communication using L2TP (Layer Two Tunneling Protocol). See also: Layer Two Tunneling Protocol (L2TP), Transmission Control Protocol/Internet Protocol (TCP/IP), Protocol
IP
See definition for: Internet Protocol (IP)
IP address
Source: Microsoft Help and Support Center Windows Server 2003 In the context of IPv4 (Internet Protocol, Version 4), a 32-bit address to identify a node on an IPv4 network. Each node in the IP network must be assigned a unique IPv4 address. This consists of the network ID and a unique host ID. The address is normally represented by the decimal values of the individual octets separated by periods (for example, 192.168.7.27). The IP address can be configured manually or dynamically with DHCP (Dynamic Host Configuration Protocol). In the context of IPv6 (Internet Protocol, Version 6), an ID that is assigned to an interface or a set of interfaces at IPv6 level and can be used as the source or destination for IPv6 packets.
Kerberos V5 authentication protocol

An authentication mechanism used to authenticate the identity of a user or host. The Kerberos V5 authentication protocol is used as the default authentication service. Kerberos can be used for authentication with IPSec (Internet Protocol Security). See also: Internet Protocol Security (IPSec)
L2TP
See definition for: Layer Two Tunneling Protocol (L2TP)
LAN
See definition for: Local Area Network (LAN)
Glossar-13
Glossary
Layer Two Tunneling Protocol (L2TP)

Source: Microsoft Help and Support Center Windows Server 2003 An industry-standard Internet tunneling protocol that supports encapsulation for sending PPP (Point-to-Point Protocol) frames via packet-oriented media. For IP networks, Layer Two Tunneling Protocol traffic is sent as User Datagram Protocol (UDP) messages. In Microsoft operating systems, the L2TP protocol is used in conjunction with Internet Protocol security (IPSec) as a virtual private network (VPN) technology to provide remote access or router-to-router VPN connections. L2TP is described in RFC 2661. See also: Internet Protocol Security (IPSec), Point-To-Point Protocol (PPP), Tunnel, User Datagram Protocol (UDP)
Local Area Network (LAN)

Source: Microsoft Help and Support Center Windows Server 2003 A communications network connecting a group of computers, printers and other devices located within a relatively limited area (for example, a building). A LAN allows any connected device to interact with any other on the network. See also: Workgroup, Virtual Private Network (VPN), NetBIOS Extended User Interface (NetBEUI), Network Basic Input/Output System (NetBIOS)
Logon rights
Source: Microsoft Help and Support Center Windows Server 2003 Logon rights are user rights that are assigned to users enabling them to log onto the system as users. An example of a logon right is the right to log onto a system remotely. See also: User rights
Long-term archive server

Central archive server for WinCC PCs
Glossar-14
Glossary
MES (Manufacturing Execution System)

The name of the middle layer of the automation pyramid. (Top: ERP - Middle: MES - Bottom: Control layer) Abbreviation for "Manufacturing Execution System". The designation for software solutions at plant control level. MES is responsible for acquiring all production data generated with the goal of optimizing production processes. The Manufacturing Execution System processes the acquired data, thereby enabling it to be evaluated. Real-time production data are also processed for monitoring and controlling production processes. Automation level and management level Manufacturing Execution Systems enable effective production and plant management because they permit fast reactions to changing manufacturing conditions and reduce activities not related to production. They create, therefore, a link between the automation level of production processes and the systems on the management level. This is referred to as "vertical integration".
Microsoft Baseline Security Analyzer (MBSA)

Source: Microsoft Knowledge Base; Article ID: 329454 This program performs a general search on Windows computers for common system security misconfigurations and generates a security report for each computer it inspects. The MBSA can run on computers with Windows Server 2003, Windows 2000 and Windows XP. It can search for security vulnerabilities on computers running Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. The MBSA looks for common system security misconfigurations in Microsoft Windows, Microsoft Internet Information Services (IIS), Microsoft SQL Server, Microsoft Internet Explorer, and Microsoft Office. The MBSA also checks for missing security updates in Windows, IIS, SQL Server, Internet Explorer, Windows Media Player, Exchange Server, Microsoft Data Access Components (MDAC), Microsoft XML (MSXML), Microsoft Virtual Machine (VM), Content Management Server, Commerce Server, BizTalk Server, Host Integration Server, and Office (only local scans). Version 1.2 provides a graphic user interface and a command line interface. See also: Software Update Services (SUS), Windows Update Service (WUS), SMS
Name resolution service

Source: Microsoft Help and Support Center Windows Server 2003 A service, such as that provided by WINS or DNS, that allows friendly names to be resolved to an address or other specially-defined resource data used to locate network resources of various types and purposes. See also: Service, DNS (Domain Name System), Windows Internet Name Service (WINS)
Glossar-15
Glossary
NetBIOS Extended User Interface (NetBEUI)

Source: Microsoft Help and Support Center Windows Server 2003 A network protocol native to Microsoft networks. This protocol is usually used on small local area networks (LANs) consisting of 1 to 200 clients (department size). NetBEUI uses token ring source routing as its only method of routing. NetBEUI is the Microsoft implementation of the NetBIOS standard. See also: Local Area Network (LAN), Network Basic Input/Output System (NetBIOS)
NetBIOS name
Source: Microsoft Help and Support Center Windows Server 2003 A 16-byte name for a process that uses NetBIOS (Network Basic Input/Output System). The NetBIOS Name is recognized by WINS, which maps the name to an IP address. See also: IP Address, Network Basic Input/Output System (NetBIOS), Windows Internet Name Service (WINS)
Network Access Quarantine Control

Source: Microsoft See Using and Configuring VPN (Virtual Private Network) and Network Access Quarantine Control for Secure Support Access.
Network Basic Input/Output System (NetBIOS)

Source: Microsoft Help and Support Center Windows Server 2003 An application programming interface (API) that can be used by application programs on a local area network (LAN). NetBIOS provides application programs with a uniform set of commands for requesting the lower-level network services required to manage names, conduct sessions and transmit datagrams between nodes on a network. See also: Service, Local Area Network (LAN)
Organizational unit
An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object (GPO) can be linked, or over which administrative authority can be delegated. See also: ActiveDirectory
Glossar-16
Glossary
Package
Source: Microsoft Help and Support Center Windows Server 2003 An icon that represents embedded or linked information. This information can consist of a complete file, e.g., a Paint bitmap, or part of a file, e.g., a spreadsheet cell. When a package is selected, the application used to create the object either plays the object back (if it is a sound file, for example) or opens and displays the object. If the original information changes, linked information is then updated. However, embedded information has to be updated manually.
Permission
Source: Microsoft Help and Support Center Windows Server 2003 A rule associated with an object to regulate which users can gain access to that object and by what means. Permissions are granted or denied by the object's owner. See also: Privilege
Plant bus
The plant bus connects WinCC PCs, such as WinCC servers, to the automation systems (AS). Communication between the automation systems also takes place via the plant bus. See also: Terminal bus
Plant operating personnel

Plant operating personnel are all persons authorized to operate a plant.
Plant PC
All PCs in the plant, in other words, all WinCC PCs and all PCs for managing the infrastructure, such as DNS, Wins and DHCP servers, domain controllers, etc., for which the operating personnel are responsible. See also: WinCC PC
Plant personnel
All persons that have access to the plant, in other words, all plant operating personnel and any other persons such as cleaning personnel.
Point-to-Point Protocol (PPP)

Source: Microsoft Help and Support Center Windows Server 2003 An industry standard suite of protocols for the use of point-to-point links to transfer multiprotocol datagrams. PPP is documented in RFC 1661. See also: Transmission Control Protocol/Internet Protocol (TCP/IP)
Glossar-17
Glossary
Point-to-Point Tunneling Protocol (PPTP)

Source: Microsoft Help and Support Center Windows Server 2003 A network technology that supports multiprotocol VPNs (Virtual Private Networks). It provides remote users with secure access to company-internal networks via the Internet or other networks by dialing up an Internet Service Provider (ISP) or establishing a direct Internet connection. PPTP encapsulates IP (Internet Protocol), IPX (Internetwork Packet Exchange) or NetBEUI (NetBIOS Extended User Interface) data in IP packets. This encapsulation is also referred to as tunneling. This means that users can execute applications remotely that depend on certain network protocols. See also: Internet Protocol (IP), Tunnel, Virtual Private Network (VPN), NetBIOS Extended User Interface (NetBEUI)
PPP
See definition for: Point-to-Point Protocol (PPP)
PPTP
See definition for: Point-to-Point Tunneling Protocol (PPTP)
Privilege
Source: Microsoft Help and Support Center Windows Server 2003 A user's right to perform a specific task, usually one that affects an entire computer system rather than an individual object. Privileges are assigned by administrators to individual users or groups of users as part of the security settings for the computer. See also: User rights, Permission
Protocol
Source: Microsoft Help and Support Center Windows Server 2003 A set of rules and conventions for sending information via a network. In respect of messages exchanged between network devices, these rules govern content, format, timing, sequence, and error control.
Proxy server
Source: Microsoft Help and Support Center Windows Server 2003 A firewall component that manages Internet traffic to and from a local area network (LAN) and can support other features such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as frequently visited Web pages, and it can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.
Quarantine control
See Network Access Quarantine Control
Glossar-18
Glossary
RADIUS
See definition for: Remote Authentication Dial-In User Service (RADIUS)
RAS Service
Source: Microsoft Help and Support Center Windows Server 2003 A Windows NT 4.0 service that provides network access from a remote location to remote workers, field personnel and system administrators monitoring and managing servers at various branch locations of a company.
Remote Access
Source: Microsoft Help and Support Center Windows Server 2003 Part of the integrated routing and Remote Access Service (RAS), which provides network access from a remote location to remote workers, field personnel and system administrators managing servers at various branch locations of a company. Users can dial into the network from a remote location and use certain services such as file and printer sharing, e-mail, schedule planning and SQL databases.
Remote Authentication Dial-In User Service (RADIUS)

Source: Microsoft Help and Support Center Windows Server 2003 A security authentication protocol based on the client/server model. It is often used by Internet service providers (ISPs). RADIUS is currently the most commonly used means of authenticating and authorizing users on networks accessed by dial-up connection and where communication is controlled with tunneling. A RADIUS client is included in the routing and RAS service, which is a component of the Windows Server 2003 product family. A RADIUS server, referred to as the Internet Authentication Service (IAS), is part of the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition. See also: Authentication, Internet Authentication Service (IAS), Tunnel
Remote Procedure Call (RPC)

Source: Microsoft Help and Support Center Windows Server 2003 A message-passing mechanism that permits a distributed application to call services that are available on various computers on a network. Used during remote servicing of computers. See also: Service
Root Certification Authority

Source: Microsoft Help and Support Center Windows Server 2003 The most trusted Certification Authority (CA), which is at the top of a certification hierarchy. The root CA has a self-signed certificate.
Glossar-19
Glossary
Router
Source: Microsoft Help and Support Center Windows Server 2003 This hardware device helps LANs (Local Area Networks) and WANs (Wide Area Networks) achieve interoperability and connectivity and can link LANs that have different network topologies, such as Ethernet and Token Ring. Routers compare the information contained in packet headers with a LAN segment and then select the best possible transmission route for the packet in an attempt to optimize network performance. See also: Local Area Network (LAN), Routing, Wide Area Network (WAN), Routing Source: Microsoft Help and Support Center Windows Server 2003 The process of forwarding a packet via a network from a source host to a destination host. See also: Host, Packet
RPC
See definition for: Remote Procedure Call (RPC)
Secure channel (S channel)

A security support provider (SSP) that implements SSL (Secure Sockets Layer) and TSL (Transport Layer Security), the standard authentication protocols for the Internet. See also: Secure Sockets Layer (SSL), Authentication protocol
Secure Hypertext Transfer Protocol

Source: Microsoft Help and Support Center Windows Server 2003 A protocol that provides a secure HTTP (Hypertext Transfer Protocol) connection. See also: Hypertext Transfer Protocol (HTTP), Protocol
Secure Sockets Layer (SSL)

Source: Microsoft Help and Support Center Windows Server 2003 A proposed open standard for establishing a secure communication channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well. See also:
Security
Source: Microsoft Help and Support Center Windows Server 2003 On a network, security refers to the protection of a computer system and the data stored on it against damage and loss. Security is implemented in such a way that only authorized users can access shared files. See also: Authorization
Glossar-20
Glossary
Security group
Source: Microsoft Help and Support Center Windows Server 2003 A group that can be included in discretionary access control lists (DACLs) used to define permissions for resources and objects. A security group can also be used as an e-mail group. An e-mail sent to the group is automatically sent to all members of that group.
Server
Generally, a computer that makes shared resources available to network users. See also: Client
Service
Source: Microsoft Help and Support Center Windows Server 2003 A program, routine or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided via a network, they can be published in Active Directory, facilitating service-centric administration and usage. Services include security account management, file replication service and routing and RAS services.
SMS
See definition for: Systems Management Server (SMS)
Software Update Service (SUS)

Source: Microsoft Knowledge Base; Article ID: 810796 Software Update Services is an easy-to-use, robust tool for deployment and management of updates based on the successful public Windows Update Service. See also: Automatic Updates (AU), Microsoft Baseline Security Analyzer (MBSA), SMS, Windows Update Service (WUS)
SSL
See definition for: Secure Sockets Layer (SSL)
Stratum
A stratum is a layer (area) in a hierarchically organized network (subnet) in which all devices are synchronized with the same time source. The clock itself (atomic clock, GPS receiver, radio time signal receiver, etc.) is on stratum 0. A stratum 1 server gets its time data via a time service (e.g., SNTP) directly from stratum 0. Computers that are synchronized directly with the stratum 1 time source are on stratum 2, etc.
A total of 16 strata are defined. Strata 1 to 4 are usually used.
Glossar-21
Glossary
Subnet
Source: Microsoft Help and Support Center Windows Server 2003 A subdivision of an IP (Internet Protocol) network. Each subnet has its own unique network ID. See also: Internet Protocol (IP)
SUS
See definition for: Software Update Service (SUS)
Systems Management Server (SMS)

Source: Microsoft Help and Support Center Windows Server 2003 A Microsoft product featuring inventory, software deployment and diagnostics tools. SMS significantly automates the task of upgrading software, supports remote problem-solving, provides asset management information, manages software licenses, and monitors computers and networks. See also: Microsoft Baseline Security Analyzer (MBSA), Software Update Services (SUS), Windows Update Service (WUS)
TCP/IP
See definition for: Transmission Control Protocol/Internet Protocol (TCP/IP)
Terminal bus
The terminal bus connects the WinCC PCs on the control layer. See also: Plant bus
Transmission Control Protocol/Internet Protocol (TCP/IP)

Source: Microsoft Help and Support Center Windows Server 2003 A set of software networking protocols widely used on the Internet that enable communication across interconnected networks of computers with a variety of hardware architectures and operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. See also: Internet Protocol (IP)
Trojan horse
Source: Microsoft Help and Support Center Windows Server 2003 A program disguised as another common program in order to gain information. An example of a Trojan horse is a program purporting to be a system message prompting for the users name and password, which it later uses to penetrate the system. See also: Virus
Glossar-22
Glossary
Tunnel
Source: Microsoft Help and Support Center Windows Server 2003 A logical connection over which data are encapsulated. This usually involves both encapsulation and encryption. The tunnel forms a private, secure connection between the remote user or host and a private network. See also: Host, Encryption
Tunneling protocol
Source: Microsoft Help and Support Center Windows Server 2003 A tunneling protocol is a communication standard used to manage tunnels and encapsulate private data. Tunneled data must also be encrypted to be a VPN (Virtual Private Network) connection. Two frequently used tunneling protocols are Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). See also: Layer Two Tunneling Protocol (L2TP), Point-To-Point Tunneling Protocol (PPTP), Virtual Private Network (VPN)
User account
Source: Microsoft Help and Support Center Windows Server 2003 In Active Directory, an object that consists of all the information that defines a domain user. This includes the user name, the password and the groups of which the user account is a member. User accounts can be stored in Active Directory or on the local computer. Use local users and groups to manage local user accounts on computers running Windows XP Professional and member servers running Windows Server 2003. Use Active Directory users and computers to manage domain user accounts on domain controllers running Windows Server 2003.
User Datagram Protocol (UDP)

Source: Microsoft Help and Support Center Windows Server 2003 An enhancement of TCP (Transmission Control Protocol) that offers a connectionless datagram service. This protocol guarantees neither delivery nor correct sequencing of delivered packets (similar to the Internet protocol, IP).
User rights
Source: Microsoft Help and Support Center Windows Server 2003 Tasks a user is permitted to perform on a computer system or domain. There are two types of user right: privileges and logon rights. An example of a privilege is the right to shut down the system. An example of a logon right is the right to log onto a computer locally. Both types are assigned by administrators to individual users or groups as part of the security settings for the computer. See also: Logon rights, Domain, Privilege
Glossar-23
Glossary
Virtual Private Network (VPN)

Source: Microsoft Help and Support Center Windows Server 2003 The extension of a private network that provides encapsulated, encrypted and authenticated connections across shared or public networks. VPN connections support remote access and router-to-router connections for private networks over the Internet. See also: Authentication, Routing, Tunnel, Encryption, Remote Access
Virus
Source: Microsoft Help and Support Center Windows Server 2003 A program that attempts to install itself from one computer to another and then do damage there (by deleting or corrupting files) or aggravate users (by displaying unwanted messages on the screen or changing the normal display). See also: Trojan horse
Wide Area Network (WAN)

Source: Microsoft Help and Support Center Windows Server 2003 A communication network connecting geographically separated computers, printers and other devices. A WAN allows any connected device to interact with any other on the network.
WinCC PC
All PCs used in a WinCC plant, such as WINCC servers and clients, WinCC configurators, central archive servers, etc. See also: Plant PC
Windows Internet Name Service (WINS)

Source: Microsoft Help and Support Center Windows Server 2003 A software service that dynamically maps IP addresses to computer names (NetBIOS - Network Basic Input/Output System - names). This allows users to access resources by name instead of requiring them to use IP addresses, which are difficult to recognize and remember. See also: Service, IP address, Network Basic Input/Output System (NetBIOS)
Glossar-24
Glossary
Windows Software Update Service (WSUS)

WSUS is the successor to the Microsoft Software Update Service (SUS). WSUS additionally enables security updates for Microsoft Office, Microsoft Exchange Server and Microsoft SQL Server. It also provides the following new features: Formation of groups for distribution of patches Improved reporting system Forced distribution at specific points in time Distribution of critical driver updates Simplified first-time installation Programming interface (API)
See also: Microsoft Baseline Security Analyzer (MBSA), Software Update Services (SUS), Systems Management Server (SMS)
WINS
See definition for: Windows Internet Name Service (WINS)
Workgroup
Source: Microsoft Help and Support Center Windows Server 2003 A simple grouping of computers created for the sole purpose of helping users to find objects such as printers or shared folders in this group. Workgroups in Windows provide neither centralized user accounts nor centralized authentication, as are available in domains. See also: Authentication, Domain
Worm
A computer virus that is solely designed to replicate itself and lead to substantial impairment of normal data processing.
Zone
Source: Microsoft Help and Support Center Windows Server 2003 In the Macintosh environment, a logical grouping that facilitates browsing the network for resources, such as servers and printers. In a DNS database, a contiguous portion of the DNS tree that is administered as a single separate entity by a DNS server. A zone stores the domain names and data with a corresponding name, except for domain names that are stored in delegated subdomains.
Glossar-25
Glossary
Glossar-26

WinCCsec White Enu v01

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

WinCCsec White Enu v01

Caricato da

Copyright:

Formati disponibili

s

Preface Table of Contents

Siemens AG Automation and Drives Postfach 4848, D-90327 NRNBERG

Copyright Siemens AG 2006 Technical data subject to change

Validity of the documentation

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

IT Security in Your Plant

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Figure 1 Block diagram of a single-user system

Multi-user system as a visualization system with Web clients

Figure 2 Block diagram of a multi-user system

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Large system as a visualization system with MES and ERP layers

Figure 3 Block diagram of a large system

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Principle: Assigned logon

Principle: Exact time of day

Principle: Management of software updates and security patches

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Service & Support on the Internet

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Managing the Network

Managing Computers and Users

Planning Time Synchronization 5.1 5.2 5.3 5.4

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Secure Network Access to Security Cells

References Meaning of the Symbols Used

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Principle: Division into security cells

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Rules for forming segments and security cells

What does this ensure?

Ramifications for protection mechanisms

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Application to system types

Figure 1-1 Production shop security cell

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Figure 1-2 Building security cells - layers

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Figure 1-3 Building security cells - devices

FDA requirements for room protection

Methods for increasing network performance

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Specifying Network Access Points

Central access points

Network access point - What does this ensure?

Defined access points using routers

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Application to system types

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Planning the Security Cells and Access Points

Figure 1-4 Network access points, router

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Managing the Network

Rules for name resolution

WinCC Security Concept - Recommended and mandatory practice A5E00917540-01

Managing the Network