BECKHOFF IPC-Security User Manual

Template

Description

Disallowed

Software will not run, regardless of the access rights of the user. Blocks users from
executing an application by default – other specific rules (exceptions, see below) may
override this one.

Basic User

Allows users to execute applications that do not require administrative privileges – to
allow users to run applications with administrative privileges a specific rule must be
created.

Unrestricted (default)

Users are able to execute any application by default – other specific rules (exceptions,
see below) may override this one.

To create an exception for a security level, you need to create a rule for a specific software. You can create
the following rule types:

Exception Type

Description

Hash rule

Sets the exception to the hash value of a given file. This ensures that only the spec-
ified file with its unique hash value can be used for this exception. It is important to
understand that this hash value can change, for example when updating the applica-
tion (TwinCAT Update!!).

Certificate rule

Specifies a certificate for this exception type. This rule degrades the execution of
applications as the certificate validity must be checked every time the application is
executed.

Path rule

The path can either be a path in the file system or in the Windows registry

Network zone rule

Uses zones as defined in Internet Explorer

Please note that you may use wildcards for a path rule, for example to create an exception for all executable
files under C:\Windows\System32. Other important settings include the Enforcement and Designated file
types setting. Enforcement settings allow you to select whether to restrict software execution for ALL user
accounts or only for non-Administrators.

The Designated File types setting lets you specify which file types should be treated as executable files.

Please see chapter A.4.1.3 for an overview about all Beckhoff software products and their corresponding
path to the executable file.

3.2.3.6. Windows AppLocker

Windows AppLocker is a feature in Windows 7 (not included in Windows Embedded Standard 7) that further
enhances the functionality of Software Restriction Policies (see chapter A.4).

This section of the IPC-Security Whitepaper will be updated in a future release.

3.2.3.7. Autorun

One of the main reasons an industrial controller is infected by a computer virus is through USB drives or
other mass-storage devices. Viruses that have been written to spread via attached storage devices often
use the Autorun feature of Microsoft Windows to install themselves on the target system. You should disable
this feature.

Please see chapter A.4.3.5 for a Step-by-Step guide.

16