3 Detailed checklist
Checklist
Article ID: 109745536, V2.0, 05/2022
9
©
S
iem
e
n
s A
G
2
0
2
2
A
ll r
igh
ts
re
se
rv
e
d
Note
Siemens Industry Online Support also contains an application example (see \3\ in
chapter 4.3)
. This application example provides an SNTP server on the S7-
300/400/1200/1500 CPUs. With this SNTP server, it is possible to push a uniform
CPU time to all components.
3.3
Disable unencrypted protocols
Menu path
You can find this information in the following paths:
•
With MSPS: "System > Configuration"
•
With X-200 and X-300: "Agent"
Recommendations for X-200 and X-300 devices
•
Use "SSH".
•
If you do not use the CLI, disable "Telnet" and "SSH".
•
Enable "HTTPS Only".
•
After commissioning, enable "DCP Read Only" mode for the DCP function.
•
Use "SNMPv1/v2c/v3". Ideally, you would completely disable "SNMPv1/v2c/v3"
and instead use the secure "SNMPv3" variant.
•
Tick the "SNMPv1/v2 Read-Only" checkbox to prevent changes to the device
configuration via unsecure "SNMP Set" requests.
Change the Community Strings for SNMPv1/v2c.
Note
With SNMPv1/v2, data are transmitted over the wire in cleartext.
With SNMPv3, the client can neither write nor read without a valid logon. Data are
transmitted in encrypted form.
Recommendations for MSPS devices
•
Use "SSH Server".
•
Select the "High" level for "SSH Key Exchange Algorithm Level".
If you do not use the CLI, disable both Telnet and SSH.
•
Disable the HTTP server and enable the HTTPS server.
•
Select the option "Redirect HTTP to HTTPS" as HTTP service. This setting
disables HTTP but the device still remains addressable over HTTP and will
automatically redirect to HTTPS.
•
Restrict the "Minimum TLS Version" to TLSv1.2.
If the browser supports TLSv1.3, this version will be used anyway.
The restriction to V1.3 can cause problems with older browsers in some cases
if the browser does not support this version and only V1.3 is available.