Security Reference Guide: Crestron® Control Systems

Crestron® Control Systems

Security Reference GuideCrestron Electronics, Inc.

Original InstructionsThe U.S. English version of this document is the original instructions.All other languages are a translation of the original instructions.

Crestron product development software is licensed to Crestron dealers and Crestron Service Providers (CSPs)under a limited nonexclusive, nontransferable Software Development Tools License Agreement. Crestronproduct operating system software is licensed to Crestron dealers, CSPs, and end-users under a separate End-User License Agreement. Both of these Agreements can be found on the Crestron website atwww.crestron.com/legal/software_license_agreement.

The product warranty can be found at www.crestron.com/warranty.

The specific patents that cover Crestron products are listed at www.crestron.com/legal/patents.

Certain Crestron products contain open source software. For specific information, visitwww.crestron.com/opensource.

Crestron, the Crestron logo, 3-Series, Crestron Toolbox, DigitalMedia, and Fusion RoomView are eithertrademarks or registered trademarks of Crestron Electronics, Inc. in the United States and/or other countries.Active Directory, Microsoft, Windows, and Windows Server are either trademarks or registered trademarks ofMicrosoft Corporation in the United States and/or other countries. Ethernet is either a trademark or registeredtrademark of Xerox Corporation in the United States and/or other countries. Other trademarks, registeredtrademarks, and trade names may be used in this document to refer to either the entities claiming the marksand names or their products. Crestron disclaims any proprietary interest in the marks and names of others.Crestron is not responsible for errors in typography or photography.

©2020 Crestron Electronics, Inc.

https://www.crestron.com/legal/software-license-agreement

https://www.crestron.com/warranty

https://www.crestron.com/legal/patents

https://www.crestron.com/legal/open-source-software

Contents

Revision History 1

Introduction 2

Suggested System Configuration 3Architecture 3Firewall Rules in Normal Operation 5Firewall Rules in Isolation Mode 6

Assumptions 8

Common Steps 9

Optional Steps 10SecureConnections 10Web Server 10Set Lock Out Configuration 10Blocked IP Address Functions 11

Set Password Rules 13Other Password Commands 14

AuthenticateUsing ActiveDirectory® Software 14Add Local or ActiveDirectory User to a Local Group 14Remove Local or ActiveDirectory User from a Local Group 15Add ActiveDirectory Group 15Delete ActiveDirectory Group 15List Users 16List GroupUsers 16List Local Groups 16List ActiveDirectory Groups 16ShowUser Information 17Who CommandChange 17

Install a Certificate 18Disable Crestron Cloud 18Set Idle TimeOut 19Setup Audit Loss 20802.1x Authentication 23

Security Protocols 26

More About User Groups 27

TSW Touch Screens 28

Security Reference Guide — Doc. 8563H Contents • i

DigitalMedia™ Devices 29Matrix Switches 29Transmitter and Receiver Devices 29

Enabling Remote Access 30

ii • Contents Security Reference Guide — Doc. 8563H

iii • Contents Security Reference Guide — Doc. 8563H

Security Reference Guide — Doc. 8563H Crestron® Control Systems • 1

Revision History

Please send comments and change recommendations to [email protected].

Version Date Notes Author

A February 23,2015

Release Version JP

B March 13,2015

AddedWeb Server Information JP

C March 23,2015

Added disabling of TSW Setup Key Sequence JP

D May 6, 2015 Added information regarding Remote Access JP

E June 9, 2015 Corrected CIPHER command JP

F April 22,2016

Updated to 1.5xx firmware (keep SSH enabled) and addition of DMMatrix Switch Information

JP

G July 18, 2016 Added SECUREGATEWAYMODE information JP

H April 14,2020

Formatted to Crestron branding standards. TP

mailto:[email protected]

2 • Crestron® Control Systems Security Reference Guide — Doc. 8563H

Introduction

This document describes the steps needed to harden aCrestron® installation and assumesa basic understanding of security functions and protocols.


Suggested System Configuration

Crestron® control devices are created using a variety of platforms and processors. Incertain cases, devices are unable to provide the full set of security features needed forspecific solutions.

Crestron’s CP3N, AV3, and PRO3 all feature theCrestron Control Subnet, which providesan easy way to create a newEthernet® network dedicated to Crestron’s Ethernet devices.TheControl Subnet simplifies setting up a dedicated Crestron LAN. As such, theControlSubnet has aDHCP andDNS Server. TheControl Subnet is designed as a fully functionalfirewall/router, and the control system andCrestron tools will open up ports as needed.

Devices on theControl Subnet are able to reach out to thewider LAN by default, but othertraffic into theControl Subnet is limited to Crestron tools.

To further restrict the system, the 3-Series® processor supports Isolation Mode, where thefirewall is configured so that no traffic can traverse from the LAN to the devices on theControl Subnet nor from theControl Subnet to the LAN. Using this mechanism,customers can protect their corporate LAN from devices on theControl Subnet.

ArchitectureEven if nothing is plugged into theControl Subnet port on the back of the control system,there are still some devices on theControl Subnet:

l Control System CPU (where AV Programs run)

l Optional Expansion cards (PRO3 and AV3 only)

This design ensures that theCrestron CPU and optional expansion cards are protectedfrommalicious packets on the LAN. The diagram below illustrates howall of thecomponents work together:

The firewall rules only allow in traffic that theCPU perceives. As such, a port scan will onlyshowports that theCPU perceives. Users have the ability to set upmanual portforwarding rules to make custom connections to the devices on theControl Subnet.


Crestron’s management utility, Crestron Toolbox™ software, creates custom portforwarding rules in the 64000-64299 range to enablemanagement of the devices on theControl Subnet. These port forwarding rules are createdwhen the tool connects. The rulesare broken downwhen the tool disconnects or when the device is rebooted.


Firewall Rules in Normal Operation

Under normal operation procedures, the firewall on theCS Router is set as such:

FUNCTION TYPEDESTINATION

PORTFROM(Sender)

TO(Listener)

NOTES

FTP TCP 21 Inboundfrom LAN

To CPU If enabled incontrol systemprogram. FTPis disabled inmost cases.

SSH TCP 22 Inboundfrom LAN

To CPU

Telnet TCP 23 Inboundfrom LAN

To CPU If enabled incontrol systemprogram.

Web TCP 80 & 443 Inboundfrom LAN


Flash Policy TCP 843 Inboundfrom LAN


Crestron communicationprotocols

TCP/UDP 41794-41797 Inboundfrom LAN

To CPU CrestronTerminalProtocol isdisabled inrecent builds.Most devicesuse SSH.

Programmatic listeners TCP/UDP Listen Portsused byprogram

Inboundfrom LAN

To CPU

Allows Crestron Managementtool to access devices on theControl Subnet. Ports areopened and closed as needed.

TCP 64000-64299 Inboundfrom LAN

Todeviceson CS

All outbound traffic is allowed. TCP/UDP Any Port ControlSubnetOutboundto LAN

Allowed

Allows the end-user to domanual port forwarding todevices on the Control Subnet.

TCP/UDP User Defined Inboundfrom LAN

UserDefined


Firewall Rules in Isolation Mode

When Isolation Mode is enabled, the rules are as such:

FUNCTION TYPEDESTINATION

PORTFROM(Sender)

TO(Listener)

NOTES

FTP TCP 21 Inboundfrom LAN

To CPU If enabled incontrol systemprogram. FTP isdisabled in mostcases.

SSH TCP 22 Inboundfrom LAN

To CPU

Telnet TCP 23 Inboundfrom LAN


Web TCP 80 & 443 Inboundfrom LAN


Flash Policy TCP 843 Inboundfrom LAN


Crestron communicationprotocols

TCP/UDP 41794-41797 Inboundfrom LAN

To CPU CrestronTerminalProtocol isdisabled inrecent builds.Most devices useSSH.

Programmatic listeners TCP/UDP Listen Portsused byprogram

Inboundfrom LAN

To CPU

Crestron's tools cannotconnect to any devices onthe Control Subnet.

TCP 64000-64299 Inboundfrom LAN

BLOCKED

Allows the control systemCPU to communicate withboth the LAN and theControl Subnet.

TCP/UDP Any ClientPorts used byprogram

ControlSubnetOutboundto LAN

FromCPU:Allowed

No outbound traffic isallowed.

TCP/UDP Any Port ControlSubnetOutboundto LAN

All otherdevices:BLOCKED

No port forwarding can bemanaged by the user.

TCP/UDP User Defined Inboundfrom LAN

BLOCKED


Alongwith the firewall rules, Isolation Mode also disables the functionality needed formaking port mappings by either the user or Crestron tools. Therefore, in Isolation Mode,not even Crestron’s tools can connect to the devices on theControl Subnet.

The only device that can communicatewith both the LAN and theControl Subnet inIsolation Mode is theControl System CPU.


Assumptions

Crestron assumes the following about the operating environment of its systems:

1. The system is not capable of dual authorization. If your organization's policyrequires dual authorization, you cannot use the system.

2. Physical security, commensuratewith the value of the system and the data itcontains, is assumed to be provided by the environment.

3. Administrators are trusted to follow and apply all administrator guidance.


Common Steps

Take the following steps when hardening aCrestron control system:

1. Input the command AUTH ON. You will be prompted for the nameand password ofan Administrator account. Do not lose this information. The system cannot beaccessedwithout this information.

2. Create other users and assign them to groups as desired. Refer to More About UserGroups (on page 27) for more information.

3. Input the command CIPHER STRONG.

4. If your installation requires Banners, please copy the Banner to the following devicefolder: /SSHBanner/banner.txt.

At this time, FTP, HTTP, and TELNET services will be disabled. HTTPS will continue to beavailable.


Optional Steps

All steps below are optional. The rationale for their performance is provided.

Secure ConnectionsBy default, devices may connect using unsecured communications.With authenticationand TLS enabled, devices may optionally connect using securedmethods.

Secure connections are configurable using the command SECUREGATEWAYMODE. Thefollowing parameters are supported:

l DEFAULT: Accepts both secure and unsecureGateway CIP connections on allnetwork interfaces.

l SECUREONLY: Accepts only secureGateway CIP connections on all networkinterfaces.

l SECURENONCS: (Only valid for theCP3N, PRO3, AV3) Accepts secure and unsecureGateway CIP connections from devices on the control subnet, but only secureconnections are accepted on the LAN interface.

l SECUREEXT:o Accepts only secureGateway CIP connections from external IP

addresses (i.e. from different subnets than any of the connectednetworks).

o Accepts unsecure connections from IP addresses on the same subnetas the given network interface (i.e. LAN port allows unsecureconnections on the local LAN subnet, Control Subnet port allowsunsecure connections from its local subnet).

o Ensures that all mobile devices are properly configured to useTLS/SSL communications.

Web ServerCrestron Control Systems contain a built-in web server.When SSL/TLS is enabled, port 80will remain open but will only redirect to port 443. Theweb server will then prompt forauthentication credentials.

If theweb server is not being used, some customers may prefer to disable it entirely. Usethe following command to enable or disable theweb server:

WEBSERVER [ON | OFF]No parameter - displays current setting

Set Lock Out ConfigurationTo prevent brute force attacks, the system only allows a certain number of attemptsbefore locking out the source IP address. By default, three unsuccessful attempts from the


same IP address will block that address for 24 hours. Amore secure installation would notgrant automatic unlocks, which allow potential attackers to retry possible usernameandpassword combinations without the knowledge of the user or the administrator.

To configure lock out settings, enter the following commands:

PRO3>setloginattempts ?SETLOGINAttempts [number]number: number of logon attempts a user will have before the console is blocked, 0 isinfiniteNo parameter: display current setting

PRO3>setlockouttime ?SETLOCKOUTTIME [number]number: number of hours to block an IP address, 0 is indefinite, 255 maxNo parameter: display current setting

For USB transport, the action is blocked for five seconds after themaximum number oflog on attempts is reached. If the user retries after five seconds and continues to fail, theblock time is doubled. The block time continues to double until a successful log on attemptor until a control system reboot occurs. Once a user successfully authenticates against theconsole, the failure count is reset to zero. The block time resets to five seconds.

This setting can be altered in Crestron Toolbox software from theAuthentication Settingsdialog box.

Blocked IP Address Functions

When a user reaches themaximum number of logon attempts over an Ethernetconnection (CTP/SCTP/SSH), the client’s IP address is blocked. Administrators haveaccess to commands that allow them tomanage this behavior.

Change Lock Out time

To change the number of hours an IP address is blocked, enter the following command:

SETLOCKOUTTIME [number]number: number of hours to block an IP address, 0 is indefinite, 255 maxNo parameter: display current setting

List Blocked IP Address

To list blocked IP addresses, enter the following command:

LISTBLOCKEDipNo parameter: display current list of blocked IP addresses


Add an IP Address to the Blocked List

To add an IP address to the blocked list, enter the following command:

ADDBLOCKEDip [ipaddress]ipaddress: IP address to blockNo parameter: display current list of blocked IP addresses


Remove an IP Address from theBlocked List

To remove an IP address from the blocked list, enter the following commands:

REMBLOCKEDip [ALL|ipaddress]ipaddress: IP address of the blocked connectionALL: remove all blocked IP addressesNo parameter: display current list of blocked IP addresses

Set Password RulesInstallations may have individual password rules that need to be applied. To apply thesepassword rules, enter the following commands:

SETPASSWORDRULE {-ALL | -NONE} | {-LENGTH:minPasswordLength} {-MIXED}{-DIGIT} {-SPECIAL}

l -ALL: all rules will be applied.

l -NONE: no rules will be applied.

l -LENGTH: specifies minimum password length. By default, theminimumlength is 6. This parameter can't be combinedwith NONE.

l -MIXED: passwordmust contain a lower and upper case character. Thisparameter can't be combinedwith NONE.

l -DIGIT: passwordmust contain a number. This parameter can't becombinedwith NONE.

l -SPECIAL: passwordmust contain a special character. This parameter can'tbe combinedwith NONE.


Other Password Commands

Change Local User Password

When authentication is on, any logged-in user can change his or her password. The user isprompted to enter the old password once and the newpassword twice. If the old passworddoes not match the current password, this operation fails and the password is notchanged.

Local users changing their password should enter the following command:

UPDATEPASSWORDNo parameters needed

Reset Local User Password

When authentication is on, users with administrator rights can reset a user’s password. Todo so, enter the following command:

RESETPASSWORD -N:username -P:defaultpassword

l -N: specifies name of the user to be reset

l -P: specifies the default password

Authenticate Using Active Directory® Software

Add Local or Active Directory User to a Local Group

Local users are created on 3-Series Control Systems® without any access rights. By addingthem to a local group, they inherit the access level from the group. A 3-Series Control


System cannot create or remove a user from ActiveDirectory but it can grant access toan existing user in ActiveDirectory software. To grant access to an ActiveDirectory user,either add the user to a local group on the control system or add theActiveDirectorygroup(s) that the user is amember of to the control system.

When authentication is enabled, users with administrator rights can perform the followingcommand:

ADDUSERTOGROUP -N:username -G:groupname

l -N: specifies name of a local or domain user

l -G: specifies name of a local group

Remove Local or Active Directory User from a Local Group

When authentication is turned on, users with administrator rights can remove local orActiveDirectory users from a local group. After users are removed from a local group, theydo not have the access rights associatedwith the group. The user account is not deleted bythis command.

To remove a user, enter the following command:

REMOVEUSERFROMGROUP -N:username -G:groupname

l -N: specifies name of a local or domain user

l -G: specifies name of a local group

Add Active Directory Group

A 3-Series Control System cannot create or remove a group from ActiveDirectory, but itcan grant access to an existing group in ActiveDirectory.When authentication is enabled,users with administrator privileges can add an ActiveDirectory group to the controlsystem and assign access levels. Once the group is added, all members of the group haveaccess to the control system.

To add an existing ActiveDirectory group:

ADDDOMAINGROUP -N:groupname -L:accesslevel-N: specifies the domain group name (domain\group)-L: specifies one of the following access levels:A: - as an AdministratorP: - as a ProgrammerO: - as an OperatorU: - as a UserC: - for Connection only

Delete Active Directory Group

When authentication is enabled, users with administrator privileges can remove apreviously added ActiveDirectory group from the control system. The group is not deletedfrom ActiveDirectory. Once the group is removed from the control system, all members ofthat group lose access to the control system.


To remove an ActiveDirectory group:

DELETEDOMAINGROUP domaingroupnamedomaingroupname: name of the domain group (domain\groupname) to be deleted.

List Users

The following command allows users with administrator privileges to list all users (localand domain) added to local groups:

LISTUSERSNo parameters needed.

List Group Users

The following command allows administrators to see a list of all users in a specified group:

LISTGROUPUSERS groupname

List Local Groups

Users with administrator privileges can list all the local groups added to the controlsystem. A 3-Series Control System comes with the following built-in groups, which cannotbe deleted by any user: Administrators, Programmers, Operators, Users, andConnects.

To view a list of all local groups added to the control system, enter the following command:

LISTGROUPS [A] [P] [O] [U] [C]

l A: groups with administrator rights are listed

l P: groups with programmer rights are listed

l O: groups with operator rights are listed

l U: groups with user rights are listed

l C: groups with connection rights are listed

l No parameter: all groups are listed

List Active Directory Groups

Users with administrator privileges can list all the ActiveDirectory groups that were addedto the control system. To do so, use the following command:

LISTDOMAINGROUPS [A] [P] [O] [U] [C]A: groups with administrator rights are listedP: groups with programmer rights are listedO: groups with operator rights are listedU: groups with user rights are listedC: groups with connection rights are listedNo parameter: all groups are listed


Show User Information

Administrators can query the controller to show the access rights of a particular user. Todo so, use the following command:

USERINFOrmation username

Who Command Change

When Authentication is enabled, the administrators can see the currently logged-in users.This is in addition to what it currently lists. The list is filtered base on access level (loweraccess cannot see higher access).

To see the currently logged-in users, enter the following command:

WHO


Install a CertificateWhen authentication is enabled, a self-signed certificate is created. A certificate from atrusted root authority might be needed in some installations.

To install a certificate, enter the following commands:

PRO3>certificate ?CERTIFicate Cmd Certificate_Store <Certificate_Name> <Certificate_UID><Password>

Where Cmd = [ADD|REM|LIST|VIEW]Where Certificate_Store = [ROOT|MACHINE|USER|INTERMEDIATE]ADD Certificate_Store - Add Certificate(from known location) ToSpedified Certificate Store (MACHINE store requires password)REM Certificate_Store Certificate_Name Certificate_UID - RemoveSpecified Certificate From Specified Certificate StoreLIST Certificate_Store - List All Certificates In SpecifiedCertificate StoreVIEW Certificate_Store Certificate_Name Certificate_UID - ViewDetails Of Specified Certificate In Specified Certificate StoreNo parameter - Lists Usage

Disable Crestron CloudCrestron’s devices reach out to the cloud for uptime information and other diagnosticinformation, which may be against a site policy.

To disable cloud services, enter the following command:

ENABLEFEATURE CLOUDCLIENT OFF


Set Idle Time OutAuser might forget to log out of a consolewindow using the LOGOFF command.

To set idle time out, enter the following command:

PRO3>setlogoffidletime ?SETLOGOFFIDLETIME [minutes]

minutes: Idleminutes passed before current user is logged off (limit seven days). Zeromeans user will not be logged off automatically.No parameter: display current transport setting


Setup Audit LossA secure system requires monitoring access.

NOTE: The system cycles through space pre-allocated for audit logs. It is the siteresponsibility to ensure these logs are archived on a regular basis if a complete history isrequired.

The Audit Log(s) can be retrieved from sftp://AuditLog or via the SSH console commandbelow.

NOTE: Crestron recommends the following settings: AUDITLOG ON ALL

PRO3>auditlog ?AUDITLogging [ON|OFF] {[ALL]|[NONE]|{[ADMIN] [PROG] [OPER] [USER]}}

l ON: Enable Logging

l OFF: Disable Logging

l No parameter: Displays current setting

NOTE: Logons, logoffs, and account management are always logged

Optional, used to log commands by access level:

l ADMIN: Administrator

l PROG: Programmer

l OPER: Operator

l USER: User

l ALL: All Access Levels

l NONE: No Command Logging

Example: AUDITLOGGING ON ADMIN OPER'

PRO3>printauditlog ?PRINTAUDITLOG {[ALL]}

All: Print the entire audit logNo parameter: Print the last 50 entries from the log

PRO3>clearauditlog ?CLEARAUDITLOG

No parameter: Clears the audit log

PRO3>printauditlog[12/19/2014 1:44:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 1:49:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 1:54:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)


USER: Console Symbol # RSLVHostname[12/19/2014 1:59:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:04:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:09:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:14:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:19:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:24:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:27:04 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # HELP[12/19/2014 2:27:41 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # WHO[12/19/2014 2:29:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:29:15 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #STOPTBCLIENT[12/19/2014 2:29:36 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # SNTP[12/19/2014 2:34:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:39:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:44:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:49:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:54:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:59:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:04:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:09:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:14:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:19:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:19:14 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #USERUNPat[12/19/2014 3:19:14 PM]: EVENT: LOGOFF (SHELL ) USER: admin123 # ConsoleSession Terminated[12/19/2014 3:24:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:27:17 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #VERsion[12/19/2014 3:27:17 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #


ISOLATENETworks[12/19/2014 3:27:17 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #USERPAT[12/19/2014 3:27:26 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #USERUNPat[12/19/2014 3:27:33 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # HELP[12/19/2014 3:27:43 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLOGINAttempts[12/19/2014 3:27:49 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLOGINAttempts[12/19/2014 3:27:57 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLOCKOUTTIME[12/19/2014 3:28:56 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETPAsswordrule[12/19/2014 3:29:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:34:05 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #CERTIFicate[12/19/2014 3:34:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:35:48 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #TELNETport[12/19/2014 3:35:51 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # SNTP[12/19/2014 3:35:54 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # SNTP[12/19/2014 3:38:01 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # HELP[12/19/2014 3:38:38 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLogoffidletime[12/19/2014 3:39:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:40:03 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #AUDITLogging[12/19/2014 3:40:10 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #PRINTAUDITLOG[12/19/2014 3:40:16 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #CLEARerr[12/19/2014 3:40:25 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #CLEARAUDITLOG[12/19/2014 3:40:32 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #PRINTAUDITLOG--End of Log--


802.1x AuthenticationFor installations requiring 802.1x authentication:

NOTE: Familiarity with 802.1x is assumed by this document but for convenience theinstructions for Setting Up 802.1x on aWindows Server® Devicemay be found later inthis document.

8021XAUthenticate Enable/Disable 802.1x Authentication8021xAuthenticate [ON |OFF]ON: Enable 802.1x Supplicant AuthenticationOFF: Disable 802.1x Supplicant AuthenticationNo parameter: displays current setting

8021XDOMain Configure/View 802.1x Domain Name.8021xDomainName [Domain Name]DomainName: UpdateDomain Name to Domain SpecifiedNo parameter: displays current setting


8021XMEThodConfigure/ViewEAPMethod.8021xMethod [Password |Certificate |List]Password: 802.1x SupplicantWill Use Secured Password (EAPMSCHAP V2) EAPMethodCertificate: 802.1x SupplicantWill UseCertificate EAPMethodList: 802.1x SupplicantWill display the supported EAPMethodsNo parameter: displays current setting

8021XPASsword Configure 802.1x Password.8021xPassword [Password]{Password}: Update Password to OneSpecifiedNo parameter: Echo back command

8021XSENdpeapver Enable/Disable 802.1x PEAP version reporting.8021xSendPeapVer [ON |OFF]ON: enable 802.1x PEAP version number reportOFF: disable 802.1x PEAP version number reportNo parameter: displays current setting

8021XTRUStedcas Select/List 802.1x Trusted CACertificates.8021xTrustedCAs [LIST|USE|DONTUSE] <Certificate_Name Certificate_UID>)LIST: List All Trusted Root CertificatesUSE {Certificate Name and UID}: Add Specified Certificate To List Of CertificatesUsed To Validate The ServerDONTUSE {Certificate Name and UID}: Remove Specified Certificate From List OfCertificates Used To Validate The ServerNo parameter: Display this helpmessage

8021XUSERnameConfigure/View 802.1x User Name.8021xUsername Password <Name>Password: Displays current settingsPassword {Name}: UpdateUser NameTo NameSpecifiedNo parameter: Displays HelpMenu

8021XVALidateserver Require Validation Of 802.1x Authentication Server's Certificate.8021xValidateServer [ON |OFF]ON: 802.1x SupplicantWill Validate Authentication Server's CertificateOFF: 802.1x SupplicantWill Not Validate Authentication Server's CertificateNo parameter: displays current setting



Security Protocols

NOTE: For management over SSH, a client capable of connecting over SSHv2 isrequired. The SSH client must be compliant with a FIPS 140-2 validated server.

Crestron products use one or more of the following FIPS validated libraries:

l OpenSSL FIPS Object Module v2.0 has FIPS 140-2 certificate #1747.

l OpenSSL FIPS Object Module v1.2.x has FIPS 140-2 certificate #1051.

l Windows® EmbeddedCompact Cryptographic Primitives Library (bcrypt.dll) hasFIPS 140-2 certificate #1989.

l Microsoft®Windows CE andWindows Mobile EnhancedCryptographic Provider6.00.1937 andMicrosoftWindows EmbeddedCompact EnhancedCryptographicProvider 7.00.1687 has FIPS 140-2 certificate #825.


More About User Groups

System architecturewill support multiple user groups (either locally or from ActiveDirectory® software). Any user can be amember of multiple groups. Both local and ActiveDirectory groups can be given access.

To give a group access:

1. Log into console/Telnet and have access to read-only system status/settingcommands.

2. Use customer web x-panel.

3. Use setupweb x-panel.

4. Log in to connect to CIP/Gateway connections (such as Fusion RoomView®software).

5. Use the appropriate command from the list below.

l Administrator commands are console commands that we rate asadministrator. This includes commands that have to do with user accountsand changing system settings.

l Programmer commands are console commands that we rate asprogrammer. This includes commands that have to do with loading programsand loading files.

l Operator commands are console commands that we rate as operator. Thisincludes commands that have to do with restarting programs, etc.

Out of the box, the device shall shipwith the following local user groups with associatedrights:

1 2 3 4 5 6 7

Crestron Admin Y Y Y Y Y Y Y

Crestron Programmer Y Y N Y N Y Y

Crestron Operator Y Y N Y N N Y

Crestron User N Y N N N N N

Crestron Connect N N N Y N N N


TSW Touch Screens

To harden a TSW-752, TSW-552, TSW-1052, please use the following commands.

l AUTHENTICATION ON

NOTE: If talking to a control system with AUTHENTICATION ON (in the controlsystem), supply user/password for the control system CIP connection viaSETCSAUTHENTICATION command.

l TELNETPORT OFF

l SSL NOVERIFY

l SIPENABLE OFF

l FTPSERVER OFF

l ENTERSETUPSEQ DISABLE


DigitalMedia™ Devices

Matrix Switches

NOTE: The following information applies to theDM-MD8x8, DM-MD16x16, andDM-MD32x32.

To useDigitalMediamatrix switches, please execute the following commands:

TELNETPORT OFFSSL SELFPASSWORD

NOTE: A rooted certificate can also be used.

SSL [OFF | SELF | CA]where OFF turns off SSL,where SELF sets SSL to use self-signed certificates,where CA sets SSL to useCA issued certificates,No parameter: displays current setting

Transmitter and Receiver DevicesTransmitter and receiver devices may be controlled over aDigitalMedia link. It is notnecessary to populate the LAN port. The following information applies to all DigitalMediadevices with a LAN courtesy port.

To disable a LAN courtesy port, please execute the following command:

PORTDISABLE EXTERNAL


Enabling Remote Access

When enabling remote access to a system, always remap external ports from the defaults.Remapping external ports can cut down on the number of attempts to access the system.For example, a hacker cannot simply scan well-known ports for entry. Instead, they mustscan all ports to figure out what protocols are supported before even attempting to loginto the system.

Most home routers will allow setting a different external and internal port number. Below isan example of a common home router setup page:

NOTE: If XPanelWeb Browser is needed, port 843must be opened.

This page is intentionally left blank.


Crestron Electronics, Inc.15 Volvo Drive, Rockleigh, NJ 07647Tel: 888.CRESTRONFax: 201.767.7656www.crestron.com

Security Reference Guide — Doc.8563H

04/23/20Specifications subject tochange without notice.

Documents

Security Reference Guide: Crestron® Control Systems