Siemens SIMATIC S7-1200 Manual page 83

When you download this configuration to the CPU, the user has HMI access and can access
HMI functions without a password. To read data, the user must enter the configured
password for "Read access" or the password for "Full access (no protection)". To write data,
the user must enter the configured password for "Full access (no protection)".
Unauthorized access to a protected CPU
Users with CPU full access privileges have privileges to read and write PLC variables.
Regardless of the access level for the CPU, Web server users can have privileges to read
and write PLC variables. Unauthorized access to the CPU or changing PLC variables to
invalid values could disrupt process operation and could result in death, severe personal
injury and/or property damage.
Authorized users can perform operating mode changes, writes to PLC data, and firmware
updates. Siemens recommends that you observe the following security practices:
• Password protect CPU access levels and Web server user IDs with strong passwords.
• Enable access to the Web server only with the HTTPS protocol.
• Do not extend the default minimum privileges of the Web server "Everybody" user.
• Perform error-checking and range-checking on your variables in your program logic
Connection mechanisms
To access remote connection partners with PUT/GET instructions, the user must also have
permission.
By default, the "Permit access with PUT/GET communication" option is not enabled. In this
case, read and write access to CPU data is only possible for communication connections
that require configuration or programming both for the local CPU and for the communication
partner. Access through BSEND/BRCV instructions is possible, for example.
Connections for which the local CPU is only a server (meaning that no
configuration/programming of the communication with the communication partner exists at
the local CPU), are therefore not possible during operation of the CPU, for example:
● PUT/GET, FETCH/WRITE or FTP access through communication modules
● PUT/GET access from other S7 CPUs
● HMI access through PUT/GET communication
If you want to allow access to CPU data from the client side, that is, you do not want to
restrict the communication services of the CPU, follow these steps:
1. Configure the protection access level to be any level other than "No access (complete
2. Select the "Permit access with PUT/GET communication" check box.
Easy Book
Manual, 03/2014, A5E02486774-AF
WARNING
Strong passwords are at least eight characters in length, mix letters, numbers, and
special characters, are not words that can be found in a dictionary, and are not names
or identifiers that can be derived from personal information. Keep the password secret
and change it frequently.
because Web page users can change PLC variables to invalid values.
protection)".
Easy to create the device configuration
5.7 Protecting access to the CPU or code block is easy
83