Windows xp / windows 7 – BECKHOFF IPC-Security User Manual

5.2.2. Windows XP / Windows 7

5.2.2.1. Remote dial in

Windows XP and Windows 7 enable users to configure a remote dial in connection (via VPN or an attached
modem) directly to the device. This could come in handy, for example, if your current IT infrastructure does
not include enhanced mechanisms like a separate VPN hardware or servers that provide remote access
services.

Both, Windows XP and Windows 7, support two possible scenarios: Dialing in via a telephone line (and
therefore via a modem which is attached to the IPC) or via the corporate network (VPN). Both scenarios will
be covered in more detail below. Because the configuration steps are more or less the same for Windows XP
as they are for Windows 7, this documentation only covers the configuration settings for the later operating
system. In both cases the configuration takes place in the Control Panel. Please note that, when using a
VPN dial in, you may need to configure your Internet router, so that the dial in connection gets forwarded
to your IPC Controller. Please consult the documentation of your Internet router or ask your IT department
about how to do so.

5.2.2.2. Remote maintenance

The Remote Desktop Protocol enables users to establish a remote connection to the desktop of an IPC/EPC.
RDP is by default activated in every Beckhoff operating system image. This article discusses how you can
make sure that you setup RDP in a securely manner.

5.2.2.3. Remote Desktop Protocol (RDP) and Network Level Authentication (NLA)

Since Windows 7, RDP has used Network Level Authentication (NLA) to reduce the risks of denial-ofservice
attacks. Before NLA, an RDP Client was able to establish a connection to the Windows logon screen without
actually logging on to the RDP Server. However, by presenting the logon screen, the RDP Server had to
allocate resources which could be exploited by an attacker by starting multiple RDP sessions and therefore
overstressing the RDP server. Since the implementation of NLA, remote desktop clients need to authenticate
themselves to the RDP server even before they see the remote Windows logon screen. However, since NLA
is by default enabled in every Windows 7 installation, this is not the case for Windows XP. Since Service
Pack 3, users can also use NLA under Windows XP, which is discussed in [10]. Please consult chapter
A.4.3.16 to see how NLA can be configured.

30