Security Configuration Guide for

Windows and HikCentral v1.1

Contents Introduction ....................................................................................................................................................... 1

1. Operating System Level: Microsoft Windows ........................................................................................... 1

Supported Operating Systems: .................................................................................................................. 1

Physical Access to Server: .......................................................................................................................... 1

Strict password policy................................................................................................................................ 1

Use Software Firewall and only open minimum required Ports on Router firewall: ..................................... 2

Windows Firewall ...................................................................................................................................... 2

Remote Client Access ................................................................................................................................ 2

Router Firewall and Port Forwarding ........................................................................................................ 2

Advanced Port forwarding ......................................................................................................................... 3

Antivirus .................................................................................................................................................... 3

Windows Updates must be turned on ...................................................................................................... 4

2. Application level: HikCentral Security Configurations ............................................................................... 4

Lock IP Address: after too many attempts .................................................................................................... 4

Minimum Password Strength ........................................................................................................................ 4

Maximum Password Age ............................................................................................................................... 5

Auto Lock Control Client ................................................................................................................................ 5

User Privileges: .............................................................................................................................................. 5

Initial Log in: Set strong password ............................................................................................................. 5

Set user Permission levels to a minimum required: .................................................................................. 6

Security Transfer Protocol ............................................................................................................................. 6

3. Additional Security Configuration Recommendations .............................................................................. 6

1

Introduction

HikCentral is a Central Management Software (CMS) pre-loaded on a Windows-based server.

Designed for central management of distributed sites, or large grouping of cameras recording on

Hikvision NVRs, DVRs & CVRs. The following is a high level guide to help secure your Server and application:

There are 2 levels of HikCentral system that are covered in this document:

1. Operating System:

Microsoft Windows

2. Application level:

HikCentral software

Please note: This document is focused on HikCentral software. For best practices for Hikvision NVRs, DVRs

and IP cameras please refer to “Hikvision Network Security Hardening Guide” LINK

TIP: Additional suggestion is to create a unique administrator level user name and passwords for HikCentral

to use to connect to NVRs/DVRs/CVRs. This will help identify communication between devices and

HikCentral in log files, etc.

1. Operating System Level: Microsoft Windows

Supported Operating Systems:

HikCentral is supported on the following Windows Operating systems

Microsoft® Windows 7 64-bit

Microsoft® Windows 8 64-bit

Microsoft® Windows 8.1 64-bit

Microsoft® Windows 10 64-bit

Microsoft® Windows Server 2008 R2 64-bit

Microsoft® Windows Server 2012 64-bit

For recommending settings, please consult directly Microsoft recommendations LINK,

Physical Access to Server:

There should be restricted physical access to the Server (or Virtual Server hosting HikCentral)

a. Locked Access Control on Server Room door

b. Limited access to server room to admin personnel only

Strict password policy

1. Always adhere to the end-user’s IT department policy for password management

2. Assign a complex password.

a. If using a Windows Server purchased from Hikvision, a new password should be assigned

to Windows Admin account upon first log in

For best practices for password management for Windows, please see Microsoft website: LINK

2

Use Software Firewall and only open minimum required Ports on Router firewall:

Windows Firewall

A software firewall is second layer of defense after network layer firewall and will help protect your

computer from outside attempts to control or gain access. By default, Windows firewall is turned on and

should remain on at all times:

Remote Client Access

If HikCentral server is on a LAN behind a NAT and must be accessed by Client PCs remotely over a WAN, it is

recommended to use VPN tunneling.

Router Firewall and Port Forwarding

If it is absolutely not possible to use VPN between sites, make sure that Router has a firewall and only open

ports required to connect to HikCentral Server are opened.

HikCentral only requires 4 ports to be opened for basic functionality

HikCentral Streaming Gateway: A, B (used for live view and playback video streaming

HikCentral Management Service: C ,D (used for connecting to Web Clients and Control Client)

3

For added security, it is recommended to change the ports to something different than the default.

Below is example of how to change the ports in the Service Manager:

Advanced Port forwarding

Please see Hikvision Document: HikCentral Ports List for information on port forwarding required for

advanced applications.

Antivirus

Must have Antivirus actively running with updates turned on. Default Microsoft Windows Antivirus is

“Windows Defender” and is sufficient:

Real time protection must be “on”

Virus and spyware definitions must be “up to date”

Example from Windows 10:

4

Windows Updates must be turned on

By default, Windows updates are turned on, it is important to keep on, as Windows send important security

updates periodically, set to “auto install”.

Ex: from Windows 10 settings:

2. Application level: HikCentral Security Configurations

Lock IP Address: after too many attempts Enable the “Lock IP Address” function in the Security Settings Part. This helps protect from illegal log in

attempts to HikCentral server

Minimum Password Strength Adjust “Minimum Password Strength” level to Strong in the Security Settings Part

5

Maximum Password Age Enable “Maximum Password Age” and Set the “Expire Time” as you want in the Security Settings Part

Auto Lock Control Client Enable “Auto Lock Control Client” and Set the “Lock Time” in the Security Settings section. This locks the

Control Client if there is no activity on the mouse or keyboard within the allotted time. The client would

then require a user name’s password to unlock

User Privileges

Initial Log in: Set strong password

When you add a new user, you need to change its password when you first time login.

Please set the password to Strong level

When you create a new user, you can set an “Expiry Date” for the user

6

Set user Permission levels to a minimum required:

When you are configuring a new role, please Only Select permissions this role needs

Security Transfer Protocol Change the Transfer Protocol from HTTP to HTTPS.

Clients can select “System Provided Certificate” or “New Certificate”.

3. Additional Security Configuration Recommendations

Block unauthorized computers or devices to access the local network, and forbid unauthorized

connection to untrusted network on rightful computers.

In case some services must be exposed to an untrusted network, build a Demilitarized Zone (DMZ) to

add an additional layer of security to the Local Area Network (LAN), so that an external attacker only

has access to the services in the DMZ, rather than any device of the LAN.

Create VLANs to divide the network into different broadcast domains, and apply strict security

strategies for important VLANs.

Use VPN for remote access, which interconnects remote, and mostly geographically separate,

networks through public communication infrastructures, such as the Internet.

Choose proper security technologies to enhance the network safety, such as intrusion detection

system (IDS), ACL (Access Control List), 802.1x, RADIUS authentication and Security Auditing.

Adopt Domain Control on Windows Server Systems, whereby computer users are granted to have a

number of necessary permissions.

7