Pelco Vx v3.19 System Hardening Guide installation-manual

VideoXpert™ Professional

System Hardening Guide

Document number:C6672M-AE

Publication date:12/22

VideoXpert™ Professional System Hardening Guide

Table of Contents

Introduction 4

Using Default Security Features 4

Following Secure Configuration Recommendations—Initial Setup 4

Ensuring Secure Installation 4

Updating theSystem 4

Setting-up the Account 5

Configuring Authentication 5

Using Windows Defender Credential Guard 5
Using Device Authentication 6

Configuring the Network Protocols,Ports, and Services (PPS) 6

Configuring Encryption 9

Using Data At Rest 9
Using Trusted Platform Module (TPM)Technology 9
Using UEFI with Secure Boot 9
Using FIPS Cryptographic Modules 10
Updating Browsers 10

Configuring for Least Privilege 10

Configuring VideoXpert Roles and Permissions 11

Following Additional Least Privilege Best Practices 11

Using Separate Accounts for Privileged Functions 11
Preventing Privilege Escalation 12
Performing Account Reviews 12

Configuring for LeastFunctionality on VideoXpert Systems 12

Minimizing the Use of Essential Protocols, Ports, and Services 12

Minimizing Essential Roles and Features 12

Configuring for Interoperability 14

Adding Access Control 14

Isolating the Network 14

Using Windows Firewall 15

Importing VideoXpert Firewall Rules 15

Using Additional Group Policy Settings 16

Configuring User Rights Assignment 16
Configuring the Account Lockout Policy 16
Configuring Security Options 17
Configuring File System Permissions 17

Considering Additional Security Controls 17

Using a Host Based Security System (HBSS) 17
Using Audit Logging and Event Management 19
Using Data Backup and Recovery 20
Configuring Data Execution Prevention (DEP) 20

C6672M-AE | 12/22 2

VideoXpert™ Professional System Hardening Guide

Following Operation and Maintenance Recommendations 21

C6672M-AE | 12/22 3

VideoXpert™ Professional System Hardening Guide

Introduction

This hardening guide is applicable to the current generation of Pelco video management solutions and is
geared towards the latest versioned release.

This guide is geared to hardening and best practices of video management systems (VMS)
configurations, but does not address general deployment recommendations already covered in VMS
operation manuals.

Note: Prior to making any configuration changes recommended by this guide, please refer to any
organizationally specific policies and standards that might be applicable. Pelco’s
recommendations are implementation suggestions based on industry best practices and are in no
way intended to replace an organization’s pre-existing IT directives.

Using Default Security Features

VideoXpert includes a myriad of built-in security features to accommodate and support the hardening of
your VMS. Some of these capabilities include configurable roles and permissions for application users.
Upon initial configuration of the system, default passwords are required to be changed. These
passwords are then stored with cryptographic functions in order to protect their confidentiality.
Additionally, VideoXpert supports auditing capabilities through its logging and user action reports.
Communication between VideoXpert components is also encrypted over Transport Layer Security (TLS)
and configurations are supported to enforce validation of digital certificates prior to connecting to the
VMS; ensuring proper authentication is performed. By default, Pelco uses a self-signed certificate, but
allows for an organization to configure and upload its own certificate. For further instruction on enabling
certificate validation and managing these certificates for VideoXpert, please refer to the operations
manual that applies to your installed VideoXpert component and version. These are available at

https://www.pelco.com/docs/.

Following Secure Configuration Recommendations—Initial Setup

Ensuring Secure Installation

Prior to making any changes to the system at all, ensure adequate backup and recovery procedures are
in place. Pelco recommends that you create backups of essential files/data and system and application
configuration settings. Backup procedures specific to VideoXpert can be found in the corresponding
operations manual available for download from Pelco’s Document Center at

https://www.pelco.com/docs/.

If you are installing a VMS on your own hardware, Pelco recommends that a you install a clean version of
Windows on the system using a valid Microsoft image. Previously used systems might have pre-existing
malware, spyware, or other unknown exploitable vulnerabilities.

Even in fresh installations of Windows, a system likely has unnecessary programs installed. These
programs expand the attack surface and become potential points of entry for system compromise.
Review installed programs, and completely remove/uninstall the resulting unneeded programs. Verify
that all installed programs are legitimate and required for functionality.

Updating theSystem

Ensure that each installed application and the underlying OS of each server and computer on your
system has the latest updates that address the current known vulnerabilities. For Windows, you can
check for updates directly through the OS. For VideoXpert, the latest patches and versions of software
releases are located at https://www.pelco.com/updates/.

C6672M-AE | 12/22 4

VideoXpert™ Professional System Hardening Guide

On a continual basis:

l

Frequently update the OS and the necessary installed applications to ensure newly discovered
vulnerabilities are patched as soon as a patch is available.

l

Frequently update anti-virus libraries with the latest patches and definitions.

Note: Updates often require a restart. This can be a problem if high availability is required (which is
often the case for surveillance systems) because the server cannot receive data from devices
when it is restarting. There are a number of options to minimize this impact on availability. For
example, you can download updates to the system first, and then apply them at a time when a
restart will not disrupt operations significantly. Pelco recommends that you verify the updates in a
test environment before implementing the changes across the entire organization or VMS.

Setting-up the Account

To secure access to a new VMS, you must configure an initial administrator account.

Configuration of the initial VMS administrator account will be invoked upon first use of the VMS
application. For the initial installation, see the current version of the following documents:

l

For VideoXpert Enterprise™ Systems: VideoXpert Enterprise™ System Configuration Guide,
VideoXpert Enterprise™ Installation Manual, and the VxToolbox™ OperationsManual

l

For VideoXpert Professional™ Systems:VxToolbox section of the VideoXpert Professional™
OperationsManual

A longer password that is more complex (multiple character types – upper case, lower case, numerical,
special characters) is much stronger and more-difficult to crack.

Configuring Authentication

Authentication is a process for verifying the identity of an object, service, or person. When you
authenticate an object, the goal is to verify that the object is genuine. When you authenticate a service or
person, the goal is to verify that the credentials presented are authentic.

Pelco recommends that, whenever possible, you use Windows users in combination with Active
Directory (AD) to authorize access to the underlying system. This allows you to enforce:

l

A password policy that requires users to change their password regularly and prevents older
passwords from being used

l

Brute force protection, so that the Windows AD account is blocked after a predefined number of
consecutive failed authentication attempts, again in line with the organizational password policy

l

Multi-factor authentication into the system, particularly for administrators

l

Role-based permissions, so you can apply access controls across your domain

Overall, AD allows for a more consistent Windows authentication baseline that can be tracked and
enforced across the entire network for both users and computers.

Note: If your organization does not use Active Directory or if the VMS is isolated from your IT
network as a standalone system, local group policy can be modified to address secure
authentication by configuring your organizationally specific policies in the Windows Local Group

Policy Editor, under Computer Configuration > Windows Settings > Security Settings.

Using Windows Defender Credential Guard

Pelco strongly encourages you to enable Windows Defender Credential Guard, a built-in Windows
solution for safeguarding credentials. This feature uses virtualization-based security to isolate secrets so

C6672M-AE | 12/22 5

VideoXpert™ Professional System Hardening Guide

that only privileged system software can access them. Unauthorized access to these secrets can lead to
credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential
Guard prevents these attacks by protecting New Technology LANManager (NTLM) password hashes,
Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

By enabling Windows Defender Credential Guard, the following features and solutions are provided:

l

Hardware security: NTLM, Kerberos, and Credential Manager take advantage of platform
security features, including Secure Boot and virtualization, to protect credentials.

l

Virtualization-based security: Windows NTLM and Kerberos derived credentials and other
secrets run in a protected environment that is isolated from the running operating system.

l

Better protection against advanced persistent threats: When Credential Manager domain
credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based
security, the credential theft attack techniques and tools used in many targeted attacks are
blocked. Malware running in the operating system with administrative privileges cannot extract
secrets that are protected by virtualization-based security. Although Windows Defender
Credential Guard is a powerful mitigation method, persistent threat attacks will likely shift to new
attack techniques. You should incorporate other security strategies and architectures.

Enable Windows Defender Credential Guard by using Group Policy:

1. From the Group Policy Management Console (“gpedit.msc”), select Computer Configuration >
Administrative Templates > System > Device Guard.

2. Double-click Turn On Virtualization Based Security, and then click Enabled.

3. In the Select Platform Security Level box, select Secure Boot or Secure Boot and DMA
Protection.

4. In the Credential Guard Configuration box, click Enabled with UEFI lock, and then click OK. To
be able to turn off Windows Defender Credential Guard remotely, select Enabled without lock.

5. In the Secure Launch Configuration box, select Enabled.

6. To enforce processing of the group policy, run “gpupdate /force” in Command Prompt (“cmd.exe”).

Using Device Authentication

Another consideration for achieving a more robust authentication baseline involves the practice of secure
device authentication through the use of digital certificates. For example, implementing 802.1x
authentication (within the underlying Windows system) as a network access control (NAC). A NAC will
securely authenticate authorized devices and prevent rogue devices from connecting to the network.
Device whitelisting techniques, such as implementing a host-based security system (HBSS), are also
effective for preventing rogue devices from connecting to both networks and standalone systems. More
information concerning HBSS features and configurations is presented later in this guide, in the section
titled Considering Additional Security Controls. Ensure that you consult with your network and/or end­point security vendor for implementation of these solutions.

Configuring the Network Protocols,Ports, and Services (PPS)

All VideoXpert components and their associated network ports, protocols, and services (PPS) are listed
in individual tables below. In order to determine which network services to enable on a particular system,
you must consider all services required to run on that system. For example, to ensure that the network
blocks only unwanted traffic, specify rules that allow for the necessary traffic of each VideoXpert
component installed. Keep in mind that this guide is specific to VideoXpert; additional network traffic
rules can be created in order to ensure overall functionality. This functionality is dependent upon other
necessary or required applications and services running on your system that are separate from the VMS.

C6672M-AE | 12/22 6

VideoXpert™ Professional System Hardening Guide

More information about access control and how to prevent unwanted network connections/traffic is
presented later in this guide.

Table 1: VideoXpert Pro Server™ Protocols and Ports

Protocol Ports Service

TCP/HTTPS 443 REST API

UDP/SSDP 1900 SSDP Discovery

TCP/RTSP 5544 Video and audio command and control

TCP/SSH 6666 Application-specific debugging

TCP/HTTP 9091 REST API

TCP/psql 15432 PostrgeSQL database (localhost service)

UTP/RTP 41950-61000 Receiving streamed video and audio

UDP/RTCP 41950-61000 Receiving metadata regarding the media

streams

Table 2: VxOpsCenter™ protocols and ports

Protocol Ports Service

UDP/syslog 34543 Logging

TCP/RTP 43421 Decoder command and control (localhost

service)

UDP/RTP random Receiving streamed video and audio

Table 3: VxToolbox™ protocols and ports

Protocol Ports Service

UDP/SNMP 161 VxSNMP service

TCP/SSH 6667 VxToolbox debugging

TCP/JMX 6660 Java debugging interface (localhost service)

TCP/Telnet 7777 Application-specific debugging (localhost

service)

TCP/GRPC/TLS 31457 Internal application communication (localhost

service)

TCP/HTTP 31458 Software updating cameras

TCP/debug >49000 VxToolbox opens a random ephemeral port

>49000 for debug functionality with
JVisualVM. Removal of this feature is under
investigation for a future release.

C6672M-AE | 12/22 7