Issue
Any third party BACnet client can initiate an EBO backup.
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Enterprise Server
- Building Operation Automation Server
Cause
As of EBO 2023 (5.0.2.109), EBO's BACnet backup operation requires no password which means any BACnet client with the EBO server BACnet interface's device ID can initiate an EBO backup without any restrictions.
Any such backup can be identified by looking at the backup description in EBO, the backup will explicitly indicate that it was generated by third party BACnet Workstation.
Resolution
EBO 2024 (V6.0.1) or higher:
In BACnet Interface basic tab, "Restrict backup and restore service" can be set to Yes to ensure that third-party BACnet clients cannot perform a BACnet backup or restore on the EcoStruxure BMS server. Refer to: BACnet Interface for an Automation Server – Basic Tab and BACnet Interface for an Enterprise Server – Basic Tab
EBO 2022 (4.0.4CP2 or higher) and EBO 2024 (V5.0.3 or higher):
A rule can be added to the BACnet service_blacklist to disable BACnet backup service.
See https://community.se.com/t5/Building-Automation-Knowledge/BACnet-RULES-implementation-to-disable-fea... for details on how to create service_black list.
Use the following syntax to create a rule that restricts BACnet back up initiated by 3rd party BACnet client on the EBO server.
<blacklist>
<global>
<restrict-backup-service/>
</global>
</blacklist>
Any BACnet client requesting backup from EBO server configured with the above rule will be presented with error similar to screenshot below.
