Security in PLM System Windchill – Part 1 of 2

Security is something we often seem to take for granted. The problem with this is when something goes wrong, like an unauthorized person access information or servers, the consequences can be enormous. In recent years, there have been many so-called Ransomware attacks; That hijackers encrypt the data on the server, consequently no one can open the files on the disk without the correct password. To get the password, you must pay the hijackers. Here is an example of a hospital that got its servers hijacked:

This is just a type of attack, but methods and consequences are many more. Therefore, it is important to have an overall idea about security and minimize the risk of unauthorized access to the system. In the hospital example it is very clear that you had an intrusion, but think what might happen if you do not notice anything? If drawings, documents and information in your Product Lifecycle Management System (PLM) like Windchill ends up to the wrong people. It may have far-reaching consequences, as someone else may be able to study and copy future products.
What can we do in and around Windchill to minimize the risk for this to happening?
I will now highlight how data is stored in Windchill and what you can do to increase your safety. The first example is not solely linked to security, but should be raised because of its significance; backup.
Backup in Windchill
A good backup cannot prevent an intrusion or anyone coming over secret information. But it’s invaluable if anything would happen! A good backup is something everyone should have. When I talk about a good backup, I mean a backup that allows you to restore the entire system, at a certain time, even if the server cannot be saved. The key to this is:

Back up the correct files.
Save your backups individually from the remaining system.

One reason this concerns security is primarily because with a sufficiently good backup you can bypass a hijacked server by either resetting the server or restoring a new server with the backup. So whatever security solution; Make sure backup is made at least daily and saved separately from the server. It’s a good starting point for what comes below.
Access to the Windchill servers

Begin by making sure that only those who need access to the Windchill servers. This applies to everything from remote desktop to file access. Seems obvious but needs to be reviewed on a regular basis.

Only with file access to the server can cause great damage! This makes it possible for a person to add malicious code in the installation, which is run at start (boot). Even logging in to Windchill and accessing data may be possible in this way.


Standard for most people is an anti-virus program. But it should be noted that the PTC recommends that the virus scanner does not scan through the Windchill installation as this may cause errors and degrade performance.

IP – Information

Unfortunately, it is not uncommon for information (IP) to be sent by e-mail. It may be login credentials, VPN information or documentation. You should avoid sending such information via e-mail, but of course it cannot always be avoided. In that case, it is good to separate information from each other. For example, that usernames are sent by email and passwords are sent in a text message. This reduces the risk of unauthorized disclosure of complete information.

As I mention, this is part one on the theme of Security with and in Windchill. In an upcoming blog post, I will give you tips how to achieve a safer Windchill environment. I will include HTTPS and Security Labels, which is very useful when you start managing documentation in Windchill.

All the best
Jesper Johansson