IndigoVision. Control Center. Security Hardening Guide

Transcription

1 IndigoVision Control Center Security Hardening Guide

2 Control Center THIS MANUAL WAS CREATED ON MONDAY, JANUARY 15, DOCUMENT ID: IU-SMS-MAN011-2 Legal Considerations LAWS THAT CAN VARY FROM COUNTRY TO COUNTRY MAY PROHIBIT CAMERA SURVEILLANCE. PLEASE ENSURE THAT THE RELEVANT LAWS ARE FULLY UNDERSTOOD FOR THE PARTICULAR COUNTRY OR REGION IN WHICH YOU WILL BE OPERATING THIS EQUIPMENT. INDIGOVISION LTD. ACCEPTS NO LIABILITY FOR IMPROPER OR ILLEGAL USE OF THIS PRODUCT. Copyright COPYRIGHT INDIGOVISION LIMITED. ALL RIGHTS RESERVED. THIS MANUAL IS PROTECTED BY NATIONAL AND INTERNATIONAL COPYRIGHT AND OTHER LAWS. UNAUTHORIZED STORAGE, REPRODUCTION, TRANSMISSION AND/OR DISTRIBUTION OF THIS MANUAL, OR ANY PART OF IT, MAY RESULT IN CIVIL AND/OR CRIMINAL PROCEEDINGS. INDIGOVISION, INDIGOULTRA, INDIGOPRO, INDIGOLITE AND CYBERVIGILANT ARE REGISTERED TRADEMARKS OF INDIGOVISION LIMITED. CAMERA GATEWAY AND MOBILE CENTER ARE UNREGISTERED TRADEMARKS OF INDIGOVISION LIMITED. ALL OTHER PRODUCT NAMES REFERRED TO IN THIS MANUAL ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS. SAVE AS OTHERWISE AGREED WITH INDIGOVISION LIMITED AND/OR INDIGOVISION, INC., THIS MANUAL IS PROVIDED WITHOUT EXPRESS REPRESENTATION AND/OR WARRANTY OF ANY KIND. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAWS, INDIGOVISION LIMITED AND INDIGOVISION, INC. DISCLAIM ALL IMPLIED REPRESENTATIONS, WARRANTIES, CONDITIONS AND/OR OBLIGATIONS OF EVERY KIND IN RESPECT OF THIS MANUAL. ACCORDINGLY, SAVE AS OTHERWISE AGREED WITH INDIGOVISION LIMITED AND/OR INDIGOVISION, INC., THIS MANUAL IS PROVIDED ON AN AS IS, WITH ALL FAULTS AND AS AVAILABLE BASIS. PLEASE CONTACT INDIGOVISION LIMITED (EITHER BY POST OR BY AT WITH ANY SUGGESTED CORRECTIONS AND/OR IMPROVEMENTS TO THIS MANUAL. SAVE AS OTHERWISE AGREED WITH INDIGOVISION LIMITED AND/OR INDIGOVISION, INC., THE LIABILITY OF INDIGOVISION LIMITED AND INDIGOVISION, INC. FOR ANY LOSS (OTHER THAN DEATH OR PERSONAL INJURY) ARISING AS A RESULT OF ANY NEGLIGENT ACT OR OMISSION BY INDIGOVISION LIMITED AND/OR INDIGOVISION, INC. IN CONNECTION WITH THIS MANUAL AND/OR AS A RESULT OF ANY USE OF OR RELIANCE ON THIS MANUAL IS EXCLUDED TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAWS. Contact address IndigoVision Limited Charles Darwin House, The Edinburgh Technopole, Edinburgh, EH26 0PY Safety notices This guide uses the following formats for safety notices: Indicates a hazardous situation which, if not avoided, could result in death or serious injury. Indicates a hazardous situation which, if not avoided, could result in moderate injury, damage the product, or lead to loss of data. Indicates a hazardous situation which, if not avoided, may seriously impair operations. Additional information relating to the current section. 2 Security Hardening Guide - v2

3 TABLE OF CONTENTS Legal Considerations 2 Copyright 2 Contact address 2 Safety notices 2 1 Introduction 5 2 Network 6 Standard protection 6 Physically secure network infrastructure 6 Isolate the Control Center network 6 Firewall between Control Center and the Internet 6 Disable unused switch ports 7 Fault monitoring 7 Enhanced protection 7 Firewalls within the Control Center network 7 Install an Intrusion Detection System 8 Enable 802.1x on physically vulnerable accessible network ports 8 Network security scanning 8 3 Control Center workstations 9 Standard protection 9 Workstation hardware 9 User authentication 9 Control Center accounts 10 Windows user accounts 10 Individual administrator accounts 10 Site database file share 10 Site database access permissions 10 Windows Update 10 Software and firmware update 11 Antivirus 11 Windows firewall 11 Enhanced protection 11 Deploy Control Center Client 11 Audit logging 11 Offline Windows Updates 12 Automate security policy auditing 12 Locate workstations securely 12 4 Cameras and encoders 13 Standard protection 13 Security Hardening Guide - v2 3

4 Control Center Firmware 13 Reset to factory default settings 13 Set the administrator password 13 Configure time synchronization 14 Disable unused services 14 Disable basic HTTP authentication 15 Enhanced protection 15 Enable HTTPS 15 Configure a dedicated Control Center device user account 15 Configure an IP filter 15 Configure 802.1x 16 Configure central syslog support 16 5 Servers 17 Standard protection 17 Secure physical access to servers 17 Windows Update 17 Software and firmware update 17 Antivirus 18 Windows firewall 18 Isolate storage networks 18 Disable unused services 18 Enhanced protection 19 Enable HTTPS 19 Configure an IP filter 19 Automate security policy auditing 19 6 Control Center Web 20 Control Center accounts 20 Site Database 20 Media server operating system updates 21 Application Pool Identity 21 HTTPS and TURNS 21 4 Security Hardening Guide - v2

5 1 INTRODUCTION The Control Center Security Hardening Guide is intended to allow administrators to securely deploy IndigoVision Control Center. It is intended to supplement but not replace an organization s existing physical and information security policies. The guide is divided into the main areas of a Control Center site that require specific security measures: Networking infrastructure Control Center front-end workstations Camera and encoder devices Servers providing NVR-AS, License Server, Camera Gateway and other services The Security Hardening Guide gives guidance on how best to securely configure each area, and how to manage on-going security. The Security Hardening Guide gives different guidance according to the required level of protection: Standard Protection Guidance considered mandatory for any deployment of Control Center. Enhanced Protection Guidance considered mandatory for larger or more complex installations, or for installations which have more exacting security requirements. Security Hardening Guide - v2 5

6 2 NETWORK This section shows you how to secure your Control Center networking infrastructure. This includes the following: How to increase the physical security of devices on your network How to configure firewalls and security settings What tools you can use to identify threats to the network Standard protection This section provides guidance considered mandatory for any deployment of Control Center. Physically secure network infrastructure IndigoVision recommends that you physically secure all elements of network infrastructure in locked communications closets. By securing access to the network, you minimize the number of opportunities that attackers have to gain access to sensitive network traffic and devices. Isolate the Control Center network For Control Center sites where there is no business need to interoperate with other networks, consider isolating all devices within the Control Center system on a separate network. To isolate networks, you can physically separate networking equipment from other networks. Alternatively, you can use Virtual LAN(VLAN) technology to logically isolate traffic on the same physical infrastructure. Although isolating the Control Center network from other networks within the business is a highly effective security measure, it can make other good security practices harder or more complicated. These include keeping software and firmware up to date, or proactive monitoring. Firewall between Control Center and the Internet If a Control Center network requires connectivity to the Internet, you can install an appropriate firewall solution. Configure firewalls to restrict access to only those workstations and servers that need to access the Internet. Configure firewall rules to limit the network protocols available to devices on the network. Security Hardening Guide - v2 6

7 2 Network Control Center For details of the network ports required by IndigoVision hardware and software, refer to the Control Center Installation Guide Appendix IndigoVision Firewall Requirements. With the exception of Control Center Web, IndigoVision strongly recommends that you do not connect any part of a Control Center site directly to the Internet. This includes cameras, encoders, NVR appliances, or workstations. If you need to connect to a remote site, IndigoVision recommends that you use Virtual Private Networking (VPN) technology to securely connect, authenticate and encrypt data transfer. IndigoVision strongly recommends that you configure firewall rules to prevent all cameras and encoders from accessing the Internet. Disable unused switch ports To reduce the risk that anyone will gain unauthorized access to the Control Center network, disable unused network switch ports. The capability to disable unused ports is common even on basic managed network switches. Fault monitoring IndigoVision recommends that you configure fault detectors within Control Center for all cameras, encoders, and NVR appliances within a site. Fault detectors can provide advance warning of an attempt to compromise or interfere with devices. For more information, refer to the Control Center online help. Enhanced protection This section provides guidance considered mandatory for larger or more complex installations, or for installations which have more exacting security requirements. Firewalls within the Control Center network Large Control Center sites may consist of many hundreds of cameras and encoders. IndigoVision recommends that you follow networking best practices and separate the network into subnets. Each subnet is typically routed using common Layer 3 networking protocols, such as OSPF for unicast data, or PIM Sparse Mode for multicast data. For systems designed in this manner, IndigoVision recommends that you prevent each subnet containing cameras and encoders from accessing devices on other similar subnets. Access between subnets may be carried out by a dedicated firewall appliance or by the simpler Access Control List (ACL) functionality, which is available on most routers and switches. 7 Security Hardening Guide - v2

8 Control Center 2 Network Install an Intrusion Detection System IndigoVision recommends that you use a dedicated Intrusion Detection System on particularly large or complex Control Center networks. An Intrusion Detection System monitors a network continuously and can spot anomalies in network traffic patterns. These anomalies can be used to alert administrators of imminent attacks, and provide forensic evidence to assist with prosecution after a successful attack. There are many Intrusion Detection Systems available, which vary widely in level of functionality, complexity of setup and monetary cost. CyberVigilant from IndigoVision incorporates an Intrusion Detection System that has been tailored for use with IndigoVision products. The CyberVigilant system has multiple advantages over third party systems: Potential attack alerts visible inside Control Center Minimizes setup required to monitor IndigoVision based sites Fully supported by IndigoVision For more information on IndigoVision CyberVigilant, refer to the CyberVigilant User Guide Enable 802.1x on physically vulnerable accessible network ports Because of the kind of locations in which cameras and encoders are installed, a determined attacker may be able to physically access the network connection used by these devices. This may mean that the attacker can access the entire Control Center network. IndigoVision recommends that you use port access control using 802.1x on all edge network switches to which cameras and encoders are connected. Network security scanning You can use existing software to regularly scan a network for devices that may exhibit known network vulnerabilities. For large or complex Control Center sites, IndigoVision recommends regular use of such tools. IndigoVision recommends that you keep device detection signatures up to date. Security Hardening Guide - v2 8

9 3 CONTROL CENTER WORKSTATIONS This section shows you how to secure your Control Center workstations. This includes the following: How to configure user accounts and passwords How to configure secure access to a database How to configure updates and antivirus settings Standard protection This section provides guidance considered mandatory for any deployment of Control Center. Workstation hardware To prevent the running of unauthorized software, or other attempts to bypass software security measures, IndigoVision recommends that you configure all Control Center workstation PCs with a BIOS password. A password should meet the following requirements: A minimum of 8 characters A mix of upper case, lower case, numerical characters, and symbolic characters Randomly generated using a password generator IndigoVision recommends using password manager software to securely store passwords. You can use the same password on multiple workstations. However, if the password on a single workstation is compromised, then the security of all workstations that share that password will also be compromised. Configure all workstations to use Secure Boot to ensure they only run authorized operating system software. User authentication Control Center can authenticate users using either internal password authentication or delegating to Windows user authentication. IndigoVision recommends that you create Control Center users using Windows authentication only, and manage Windows user accounts using Active Directory. Windows Active Directory authentication enables the following: A strong password policy for all users A password should meet the following requirements: A minimum of 8 characters A mix of upper case, lower case, and numerical characters A password history of 10 passwords Security Hardening Guide - v2 9

10 3 Control Center workstations Control Center A central store of user authentication configuration Control Center can be configured to list all available users in a site in the Login dialog. This option is not the default. IndigoVision recommends that you do not enable this option. Control Center accounts Whenever possible, create Control Center users as limited operator users. Only create Control Center users as Full Administrator users if those users need to edit the site database. When a Windows Domain account is deleted, disable or delete the corresponding Control Center user. Windows user accounts IndigoVision recommends that you assign the following types of Windows user accounts: Standard user account Assign this type of account to each Control Center operator. Standard users are not permitted to install software or carry out other administrative tasks. Administrator account Assign this type of account to users carrying out Windows administration. Do not allow administrator accounts to be shared between users. Individual administrator accounts When Control Center is installed, it sets up a single administrator account. IndigoVision recommends that all administrators of a Control Center site are given individual accounts tied to their Active Directory Windows user. Site database file share IndigoVision recommends that you store the Control Center site database on a secure file server. Store the database on a dedicated file share. Limit the database's directory permissions to Control Center users. You can achieve additional security by allowing only Control Center administrator users to have write access to the site database location. Site database access permissions When creating a Control Center site database, ensure that the default access permission for non-administrator users is set to None. This allows you to use Control Center s flexible user permission model to control which users can manipulate objects in the site database. Windows Update IndigoVision recommends that all workstations running the Control Center front- end application have Windows Update enabled and that updates are applied as soon as practicable after release. 10 Security Hardening Guide - v2

11 Control Center 3 Control Center workstations IndigoVision only supports operation of Control Center on operating systems that remain within Microsoft s support policy. For more information, refer to the Control Center Client front-end application operating system specifications in the Installation Guide Software and firmware update You should routinely review and update other software and device drivers installed on a Control Center workstation to ensure they are up to date. Reputable software manufacturers regularly update their software in light of security vulnerabilities. If you do not keep ancillary software on a workstation up to date, this may lead to the security of the workstation being compromised. IndigoVision recommends that you do not routinely install additional software on Control Center workstations without a defined business need. Antivirus IndigoVision recommends that you deploy a reputable antivirus solution on all Control Center workstations. Workstations often serve multiple purposes and so may be a route for viruses and other malware to access a security system. Windows firewall IndigoVision recommends enabling the Microsoft Windows firewall on all workstations and ensuring that only authorized applications may access the network. For information about the network ports required by the Control Center front-end application, refer to the Control Center Installation Guide Appendix IndigoVision Firewall Requirements Enhanced protection This section provides guidance considered mandatory for larger or more complex installations, or for installations which have more exacting security requirements. Deploy Control Center Client If there is no need for administrators to modify the site database on a given workstation, IndigoVision recommends that you deploy Control Center Client to that workstation. Control Center Client cannot write to the site database. Audit logging Control Center can maintain a central audit log of actions carried out within the Control Center front-end application. IndigoVision recommends that you configure an audit log database within Control Center. This allows actions of operators to be reviewed for suspicious activity, and for forensic purposes in the event of misuse. Security Hardening Guide - v2 11

12 3 Control Center workstations Control Center Offline Windows Updates Many security networks do not have a direct Internet connection. Microsoft provide Windows Server Update Services (WSUS) which allows updates to be distributed within an otherwise isolated network. You should also use WSUS to test updates for correct operation prior to rolling out to all workstations. Automate security policy auditing To ensure that workstations adhere to the expected security policies in place within an organization, IndigoVision recommends that you use tools to automatically review the security settings of the workstation. You can use the Microsoft Security Compliance Manager to assess the security status and apply updated security policies for the Windows Operating System. A centrally managed antivirus solution allows you to maintain the scanning and virus signature update status of each workstation. Locate workstations securely IndigoVision recommends that you control access to Control Center workstations using physical access control measures. Workstations are particularly vulnerable to unauthorized access when USB ports can be physically accessed. 12 Security Hardening Guide - v2

13 4 CAMERAS AND ENCODERS This section shows you how to secure your Control Center cameras and encoders. This includes the following: How to reset to factory default settings How to set an administrator password How to configure the time settings on Control Center devices How to manage authentication settings Standard protection This section provides guidance considered mandatory for any deployment of Control Center. Firmware Firmware is the software installed within a camera or encoder that controls the operation of the device. IndigoVision regularly updates the firmware for its range of cameras and encoders with both security updates and bug fixes. Before use, update the firmware for each device to the most recent version. IndigoVision Control Center offers a mechanism to bulk upgrade both IndigoVision devices and those provided by third party manufacturers. Reset to factory default settings Before attempting to install or secure a device, ensure that the device is in a known state. To do this, reset the device to its factory default settings. For more information, refer to the appropriate guide for the device Set the administrator password Setting a strong administrator password on a device is critical to ensuring its network security and ensuring that it can only be accessed by authorized users. A password should meet the following requirements: A minimum of 8 characters A mix of upper case, lower case, numerical characters, and symbolic characters Randomly generated using a password generator Different from the default password Security Hardening Guide - v2 13

14 4 Cameras and encoders Control Center If you do not change the default factory password, you remove all security from the device and permit access to any attacker who can access the network. If you are setting the password over an insecure network which may be liable to network sniffing, enable HTTPS to ensure that passwords are not sent in clear text over the network. IndigoVision Cameras and Encoders do not enforce a specific password policy. This allows integration with existing device password policies within a given organization. You can use the same password on multiple devices. However, if the password on a single device is compromised, then the security of all devices that share that password will also be compromised. For larger Control Center sites, IndigoVision recommends that you assign different strong passwords to each sub-site. Use the capability to inherit Device Access permissions to simplify sharing the passwords across groups of devices. Configure time synchronization In order for the IP Video Security system to operate correctly, you must ensure that all devices are able to maintain accurate time synchronization. From a security perspective, this is important to allow logging information from multiple parts of the system to be compared for forensic analysis in the event of an intrusion. Although you can manually configure the time on a given device, IndigoVision recommends that you use the Network Time Protocol (NTP) to automatically and continuously synchronize the time. Every IndigoVision Camera and Encoder has the ability to specify an NTP time server. For more information on configuring the NTP time server, refer to the appropriate guide for the device. Disable unused services To minimize the attack surface for intruders, disable services on a given device that are not required for normal operation. Review the following services, and disable them if they are not required: Telnet FTP SNMP UPnP Bonjour ARP/Ping configuration of IP addresses Audio IPv6 ONVIF WS-Discovery (after the camera has been added to Control Center) 14 Security Hardening Guide - v2

15 Control Center 4 Cameras and encoders Disable basic HTTP authentication Some third-party IP cameras support HTTP basic authentication, which sends passwords in the clear over the network. Ensure that HTTP basic authentication is disabled. Control Center supports HTTP digest authentication which securely hashes passwords used in ONVIF requests. Enhanced protection This section provides guidance considered mandatory for larger or more complex installations, or for installations which have more exacting security requirements. Enable HTTPS Accessing a camera or encoder over HTTPS secures network traffic from network sniffing. Carry out all administrative tasks over HTTPS to ensure that the password is not compromised. For more information on configuring HTTPS, refer to the appropriate guide for the device. IndigoVision recommends the use of a dedicated Certificate Authority to manage issuing security certificates for each device. Configure a dedicated Control Center device user account In a typical installation, devices are accessed in the following ways: Through the administration web user interface for configuration purposes Through the ONVIF protocol for use as part of the Control Center suite IndigoVision recommends that you create a dedicated administrator- level user to allow Control Center to access the device. This allows you to change the main administrator account password without requiring Control Center to be reconfigured or operations to be interrupted. Configure an IP filter Each IndigoVision camera or encoder contains a dedicated device firewall that controls which workstations or servers can access the camera or encoder. You can use this to further enhance network security. The firewall allows you to specify lists of individual IP addresses or ranges of IP addresses to be allowed. Configure the firewall to allow Control Center front-end application workstations and NVR-AS access. Configure the firewall to allow the IP addresses of NTP and DNS servers. For more information on configuring an IP filter, refer to the appropriate guide for the device. Security Hardening Guide - v2 15

16 4 Cameras and encoders Control Center Configure 802.1x Cameras and encoders are connected via Ethernet networks. Because the cameras are often secured to the outside of buildings and in other public areas, this can make those networks vulnerable to unauthorized physical access. The IEEE 802.1x standard provides a mechanism for network switches to securely enable access to the network only to authorized devices. All IndigoVision cameras and encoders support 802.1x and IndigoVision recommends that you configure cameras in public areas to use this protocol to prevent unauthorized access to the network. For more information on configuring 802.1x, refer to the appropriate guide for the device. Configure central syslog support IndigoVision SMART.core cameras and encoders support configuration of a central syslog server. Because the log entries are centrally available, you can forensically analyze intrusions. You can also refer to log entries for prosecution and future mitigation. 16 Security Hardening Guide - v2

17 5 SERVERS This section shows you how to secure your Control Center servers. This includes the following: How to increase the physical and network security of servers How to configure updates for servers How to secure Control Center Web servers Standard protection This section provides guidance considered mandatory for any deployment of Control Center. Secure physical access to servers IndigoVision recommends that you locate servers in a physically secure server room. Restrict access to the server room to authorized administrators, and maintain an access log. If possible, you should fit the server room with surveillance cameras. IndigoVision integrates with a wide range of access control systems, which can be used to monitor access to server rooms. Windows Update IndigoVision recommends that you enable Windows Update on all NVR-AS 4000 Windows Appliances and third- party Windows servers, and that you apply updates as soon as practicable after release. For systems where security concerns are more important than service availability (such as systems connected to the Internet), IndigoVision recommends the use of automatic Windows Update so that updates are applied as soon as they are available. IndigoVision only supports operation of Control Center on operating systems that remain within Microsoft s support policy. Software and firmware update Firmware for NVR-AS 3000 and NVR-AS 4000 Linux appliances is regularly updated with security and other bug fixes. You should apply updates as soon as practicable after release to ensure the on-going security of the Control Center site. Security Hardening Guide - v2 17

18 5 Servers Control Center As with Control Center workstations, you should regularly review and update software, device drivers or embedded firmware for components of NVR-AS 4000 Windows appliances or other third-party Windows servers. Antivirus IndigoVision does not recommend that you install antivirus software on servers dedicated to running Control Center server software such as Windows NVR-AS or Camera Gateway. These servers use dedicated application server network protocols, for which antivirus software offers no protection. Also, these servers are not accessed by end-users directly, so they are not exposed to typical attack vectors for malware or viruses. If you install antivirus software, the performance of Windows NVR- AS servers may be adversely affected, because of the high disk throughput and sensitivity of video recording to storage latency. For general purpose file servers used to store end-user data, IndigoVision recommends that you deploy a reputable antivirus solution. Windows firewall IndigoVision recommends enabling the Microsoft Windows firewall on all servers and ensuring that only authorized applications may access the network. For information about the network ports required by the Control Center front-end application, refer to the Control Center Installation Guide Appendix IndigoVision Firewall Requirements Isolate storage networks When using Windows NVR-AS software with a third-party network storage solution using iscsi or Network Attached Storage (NAS), the storage device should be located on a dedicated network. Access to the storage solution should follow the advice for other network devices and be protected by a dedicated password. A password should meet the following requirements: A minimum of 8 characters A mix of upper case, lower case, numerical characters, and symbolic characters Randomly generated using a password generator Disable unused services To minimize the attack surface for intruders, disable services on a given device that are not required for normal operation. For Windows servers, IndigoVision recommends that you restrict a given server to a single purpose or service. For NVR-AS 3000 or 4000 appliances, review the following services, and disable them if they are not required: Telnet FTP SNMP 18 Security Hardening Guide - v2

19 Control Center 5 Servers Enhanced protection This section provides guidance considered mandatory for larger or more complex installations, or for installations which have more exacting security requirements. Enable HTTPS Accessing an IndigoVision NVR-AS 4000 Linux appliance over HTTPS secures network traffic from network sniffing. Carry out all administrative tasks over HTTPS to ensure that the password is not compromised. For more information on configuring HTTPS, refer to the appropriate guide for the NVR-AS appliance. IndigoVision recommends the use of a dedicated Certificate Authority to manage issuing security certificates for each NVR-AS appliance. Configure an IP filter Each IndigoVision NVR- AS 3000 or 4000 Linux appliance contains a dedicated device firewall that controls which devices can access the appliance. You can use this to further enhance network security. The firewall allows you to specify lists of individual IP addresses or ranges of IP addresses to be allowed. Configure the firewall to allow Control Center front-end application workstations to access the NVR-AS, and to allow the NVR-AS to record and monitor the cameras. Configure the firewall to allow the IP addresses of NTP and DNS servers. For more information on configuring an IP filter, refer to the appropriate guide for the device. Automate security policy auditing To ensure that servers running Windows adhere to the expected security policies in place within an organization, IndigoVision recommends that you use tools to automatically review the security settings of the server. You can use the Microsoft Security Compliance Manager to assess the security status and apply updated security policies for the Windows Operating System. Security Hardening Guide - v2 19

20 6 CONTROL CENTER WEB This section shows you how to secure your Control Center Web servers. All recommendations made for other Control Center servers apply to servers running Control Center Web. As Control Center Web is intended for use in Internet deployments, additional tailored recommendations are also made here. Deploying any service over the Internet increases the risk to that service and the infrastructure that it uses. Even if all sensible precautions are taken, there is always more risk for Control Center systems connected to the Internet than those running on isolated networks, because such systems are directly connected to a wide range of potentially malicious entities. IndigoVision recommends that an Internet deployment is carefully considered and the risks are understood before exposing any services. Control Center accounts Site Database The weakest link in an Internet deployment is likely to be the weakest password specified by a Control Center user. An attacker who knows the user's password can access live video from all cameras in the site database which that user has permission to view. To ensure users of Control Center are following a sensible password policy, IndigoVision recommends that you create Control Center users using Windows authentication only, and manage Windows user accounts with Active Directory. For more information, see "User authentication" on page 9 Control Center Web is designed to work seamlessly with the same site database as an existing Control Center installation. It provides access to all users configured in the site database to all cameras they can access through Control Center. When deploying over the Internet, IndigoVision recommends that the cameras and users in the site database are audited. If only a subset of the cameras or users require to be accessed via the Internet, use of a separate site database is recommended to avoid exposing other cameras and users unnecessarily. For more information on configuring the site database securely, see "Site database file share" on page 10 Security Hardening Guide - v2 20

21 6 Control Center Web Control Center Media server operating system updates IndigoVision strongly recommends that the PC or virtual machine running the media server is kept up to date by enabling automatic OS updates through the unattended- upgrades package. For more information on how to configure OS updates, refer to the Control Center Web Administrator s Guide Application Pool Identity Control Center Web uses the ApplicationPoolIdentity Identity by default. This is the most secure and least privileged way to run the application pool. In order to use a shared site database, it may be necessary to change this Identity to a different user account. When doing so, IndigoVision recommends that you choose an account that has the minimum privileges required for accessing the site database and no additional permissions. IndigoVision strongly discourage the use of NetworkService, LocalService and LocalSystem identities with Control Center Web. For more information on using a shared site database in Control Center Web, refer to the Control Center Web Administrator s Guide HTTPS and TURNS Control Center Web is designed to only support encrypted communication channels between client devices on the Internet and the Control Center Web servers. It is not possible to use HTTP with the application server, as only HTTPS is supported. While it is possible for an Administrator to configure the coturn server on the media server to use TURN without encryption, IndigoVision strongly recommends that TURNS is used with the media server to ensure all signalling is encrypted. IndigoVision recommends that the coturn password configured on the media server should meet the following requirements: Minimum 16 characters Combine upper case, lower case, numerical, and symbolic characters Randomly generated using a password generator 21 Security Hardening Guide - v2