Siemens S7-1200 System Manual page 192

Programming concepts
6.6 Protection
When you download this configuration to the CPU, the user has HMI access and can access
HMI functions without a password. To read data, the user must enter the configured
password for "Read access" or the password for "Full access (no protection)". To write data,
the user must enter the configured password for "Full access (no protection)".
Unauthorized access to a protected CPU
Users with CPU full access privileges have privileges to read and write PLC variables.
Regardless of the access level for the CPU, Web server users can have privileges to read
and write PLC variables. Unauthorized access to the CPU or changing PLC variables to
invalid values could disrupt process operation and could result in death, severe personal
injury and/or property damage.
Authorized users can perform operating mode changes, writes to PLC data, and firmware
updates. Siemens recommends that you observe the following security practices:
• Password protect CPU access levels and Web server user IDs (Page 604) with strong
• Enable access to the Web server only with the HTTPS protocol.
• Do not extend the default minimum privileges of the Web server "Everybody" user.
• Perform error-checking and range-checking on your variables in your program logic
Connection mechanisms
To access remote connection partners with PUT/GET instructions, the user must also have
permission.
By default, the "Permit access with PUT/GET communication" option is not enabled. In this
case, read and write access to CPU data is only possible for communication connections
that require configuration or programming both for the local CPU and for the communication
partner. Access through BSEND/BRCV instructions is possible, for example.
Connections for which the local CPU is only a server (meaning that no
configuration/programming of the communication with the communication partner exists at
the local CPU), are therefore not possible during operation of the CPU, for example:
● PUT/GET, FETCH/WRITE or FTP access through communication modules
● PUT/GET access from other S7 CPUs
● HMI access through PUT/GET communication
192
WARNING
passwords. Strong passwords are at least eight characters in length, mix letters,
numbers, and special characters, are not words that can be found in a dictionary, and
are not names or identifiers that can be derived from personal information. Keep the
password secret and change it frequently.
because Web page users can change PLC variables to invalid values.
S7-1200 Programmable controller
System Manual, 03/2014, A5E02486680-AG