Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
Security Configuration Guide for
Windows and HikCentral v1.1
Contents Introduction ....................................................................................................................................................... 1
1. Operating System Level: Microsoft Windows ........................................................................................... 1
Supported Operating Systems: .................................................................................................................. 1
Physical Access to Server: .......................................................................................................................... 1
Strict password policy................................................................................................................................ 1
Use Software Firewall and only open minimum required Ports on Router firewall: ..................................... 2
Windows Firewall ...................................................................................................................................... 2
Remote Client Access ................................................................................................................................ 2
Router Firewall and Port Forwarding ........................................................................................................ 2
Advanced Port forwarding ......................................................................................................................... 3
Antivirus .................................................................................................................................................... 3
Windows Updates must be turned on ...................................................................................................... 4
2. Application level: HikCentral Security Configurations ............................................................................... 4
Lock IP Address: after too many attempts .................................................................................................... 4
Minimum Password Strength ........................................................................................................................ 4
Maximum Password Age ............................................................................................................................... 5
Auto Lock Control Client ................................................................................................................................ 5
User Privileges: .............................................................................................................................................. 5
Initial Log in: Set strong password ............................................................................................................. 5
Set user Permission levels to a minimum required: .................................................................................. 6
Security Transfer Protocol ............................................................................................................................. 6
3. Additional Security Configuration Recommendations .............................................................................. 6
1
Introduction
HikCentral is a Central Management Software (CMS) pre-loaded on a Windows-based server.
Designed for central management of distributed sites, or large grouping of cameras recording on
Hikvision NVRs, DVRs & CVRs. The following is a high level guide to help secure your Server and application:
There are 2 levels of HikCentral system that are covered in this document:
1. Operating System:
Microsoft Windows
2. Application level:
HikCentral software
Please note: This document is focused on HikCentral software. For best practices for Hikvision NVRs, DVRs
and IP cameras please refer to “Hikvision Network Security Hardening Guide” LINK
TIP: Additional suggestion is to create a unique administrator level user name and passwords for HikCentral
to use to connect to NVRs/DVRs/CVRs. This will help identify communication between devices and
HikCentral in log files, etc.
1. Operating System Level: Microsoft Windows
Supported Operating Systems:
HikCentral is supported on the following Windows Operating systems
Microsoft® Windows 7 64-bit
Microsoft® Windows 8 64-bit
Microsoft® Windows 8.1 64-bit
Microsoft® Windows 10 64-bit
Microsoft® Windows Server 2008 R2 64-bit
Microsoft® Windows Server 2012 64-bit
For recommending settings, please consult directly Microsoft recommendations LINK,
Physical Access to Server:
There should be restricted physical access to the Server (or Virtual Server hosting HikCentral)
a. Locked Access Control on Server Room door
b. Limited access to server room to admin personnel only
Strict password policy
1. Always adhere to the end-user’s IT department policy for password management
2. Assign a complex password.
a. If using a Windows Server purchased from Hikvision, a new password should be assigned
to Windows Admin account upon first log in
For best practices for password management for Windows, please see Microsoft website: LINK
2
Use Software Firewall and only open minimum required Ports on Router firewall:
Windows Firewall
A software firewall is second layer of defense after network layer firewall and will help protect your
computer from outside attempts to control or gain access. By default, Windows firewall is turned on and
should remain on at all times:
Remote Client Access
If HikCentral server is on a LAN behind a NAT and must be accessed by Client PCs remotely over a WAN, it is
recommended to use VPN tunneling.
Router Firewall and Port Forwarding
If it is absolutely not possible to use VPN between sites, make sure that Router has a firewall and only open
ports required to connect to HikCentral Server are opened.
HikCentral only requires 4 ports to be opened for basic functionality
HikCentral Streaming Gateway: A, B (used for live view and playback video streaming
HikCentral Management Service: C ,D (used for connecting to Web Clients and Control Client)
3
For added security, it is recommended to change the ports to something different than the default.
Below is example of how to change the ports in the Service Manager:
Advanced Port forwarding
Please see Hikvision Document: HikCentral Ports List for information on port forwarding required for
advanced applications.
Antivirus
Must have Antivirus actively running with updates turned on. Default Microsoft Windows Antivirus is
“Windows Defender” and is sufficient:
Real time protection must be “on”
Virus and spyware definitions must be “up to date”
Example from Windows 10:
4
Windows Updates must be turned on
By default, Windows updates are turned on, it is important to keep on, as Windows send important security
updates periodically, set to “auto install”.
Ex: from Windows 10 settings:
2. Application level: HikCentral Security Configurations
Lock IP Address: after too many attempts Enable the “Lock IP Address” function in the Security Settings Part. This helps protect from illegal log in
attempts to HikCentral server
Minimum Password Strength Adjust “Minimum Password Strength” level to Strong in the Security Settings Part
5
Maximum Password Age Enable “Maximum Password Age” and Set the “Expire Time” as you want in the Security Settings Part
Auto Lock Control Client Enable “Auto Lock Control Client” and Set the “Lock Time” in the Security Settings section. This locks the
Control Client if there is no activity on the mouse or keyboard within the allotted time. The client would
then require a user name’s password to unlock
User Privileges
Initial Log in: Set strong password
When you add a new user, you need to change its password when you first time login.
Please set the password to Strong level
When you create a new user, you can set an “Expiry Date” for the user
6
Set user Permission levels to a minimum required:
When you are configuring a new role, please Only Select permissions this role needs
Security Transfer Protocol Change the Transfer Protocol from HTTP to HTTPS.
Clients can select “System Provided Certificate” or “New Certificate”.
3. Additional Security Configuration Recommendations
Block unauthorized computers or devices to access the local network, and forbid unauthorized
connection to untrusted network on rightful computers.
In case some services must be exposed to an untrusted network, build a Demilitarized Zone (DMZ) to
add an additional layer of security to the Local Area Network (LAN), so that an external attacker only
has access to the services in the DMZ, rather than any device of the LAN.
Create VLANs to divide the network into different broadcast domains, and apply strict security
strategies for important VLANs.
Use VPN for remote access, which interconnects remote, and mostly geographically separate,
networks through public communication infrastructures, such as the Internet.
Choose proper security technologies to enhance the network safety, such as intrusion detection
system (IDS), ACL (Access Control List), 802.1x, RADIUS authentication and Security Auditing.
Adopt Domain Control on Windows Server Systems, whereby computer users are granted to have a
number of necessary permissions.
7