Web server
12.2 Configuring Web server users
If you have set a user-defined Web page to be the entry page (Page 1058) for the Web
server, the Everybody user must have the "Open user-defined web pages" privilege.
Access to Web server
Granting privileges to the "Everybody" user makes it possible to log in to the Web server
with no password. Unauthorized access to the CPU or changing PLC variables to invalid
values could disrupt process operation and could result in death, severe personal injury
and/or property damage.
Because the "Everybody" user when granted sufficient privileges can perform operating
mode changes, writes to PLC data, and firmware updates with no password, Siemens
recommends that you observe the following security practices
• Enable access to the Web server only with the HTTPS protocol.
• Password-protect Web server user IDs with a strong password. Strong passwords are at
• Do not extend the default minimum privileges of the "Everybody" user.
• Perform error-checking and range-checking on your variables in your program logic
• Use a secure Virtual Private Network (VPN) to connect to the S7-1200 PLC Web server
1006
WARNING
least ten characters in length, mix letters, numbers, and special characters, are not
words that can be found in a dictionary, and are not names or identifiers that can be
derived from personal information. Keep the password secret and change it frequently.
because Web page users can change PLC variables to invalid values.
from a location outside your protected network.
S7-1200 Programmable controller
System Manual, V4.2, 09/2016, A5E02486680-AK