beautypg.com

Appendix, Remote maintenance, Notes about the remote desktop protocol (rdp) – BECKHOFF IPC-Security User Manual

Page 32: A. appendix, A.1. remote maintenance

background image

A. Appendix

A.1. Remote Maintenance

Remote maintenance has always been an important part of every industrial controller. In case of a prob-
lem, service employees or application programmers could remotely connect to the IPC operating system
and perform their maintenance operation. This article will cover some of the basic scenarios from an IT
infrastructure point-of-view and discusses several possibilities how to secure the communication between
service computer and the industrial controller. Please note that this documentation makes use of standard
technologies which are available in most IT infrastructures and IPC operating systems. The Remote Desk-
top Protocol (RDP) will be used as an example remote maintenance tool because it is available by default
on Windows 7 based operating systems.

A.1.1. Notes about the Remote Desktop Protocol (RDP)

The configuration of RDP under Windows XP or Windows 7 has already been covered in chapter 5.2.2.3
However, that chapter did not discuss RDP as seen from a security perspective when used in different
remote maintenance scenarios as described here in this document. As it may be possible to use a raw RDP
connection via the Internet, for example by just creating a port forwarding to the default RDP port 3389/tcp
in your router, it is strongly recommended that you always use a secure channel for RDP communications,
for example by establishing a VPN/IPSec connection to the desired target first.

Please also make sure that you use an RDP version that supports Network Level Authentication (NLA) to
reduce the risk of Denial-of-Service attacks because of a high amount of concurrent RDP sessions. NLA
reduces that risk by offering an authentication prompt before the actual RDP session gets established.
Therefore, the RDP-Server (in our case: the IPC) only starts to allocate resources for the client session if
this pre-authentication was successful.

32