Siveillance™ Video

Hardening Guide
2019
Copyright ............................................................................ 5
What is “Hardening?” ......................................................................... 6
Target audience ................................................................................................. 6
Resources and references .................................................................................... 7
Hardware and device components.......................................................................... 7
Cyber threats and cyber risks ............................................................................... 8
Cyber Risk Management Framework ....................................................................... 9
Hardening system components ........................................................................... 13
General setup .................................................................................................. 14

Servers, Workstations, Clients and Applications ..................................... 16

Basic steps .................................................................................... 16

Establish surveillance and security objectives ........................................ 16

Establish surveillance and security objectives ........................................................ 16
Establish a formal security policy and response plan ............................................... 17
Use Windows users with Active Directory .............................................................. 17
Use Windows update ........................................................................................ 26
Keep software and device firmware updated .......................................................... 26
How to configure IPSEC ..................................................................................... 27
Use secure and trusted networks connection ......................................................... 27
Use firewalls to limit IP access to servers and computers ......................................... 28
Use antivirus on all servers and computers ............................................................ 35
Monitor logs in the VMS for signs of suspicious activity ........................................... 36

Advanced steps .............................................................................. 37

Adopt standards for secure network and VMS implementations ................................. 38
Establish an incident response plan ..................................................................... 38
Protect sensitive VMS components ...................................................................... 38
Follow Microsoft OS Security best practices .......................................................... 39
Use tools to automate or implement the security policy ............................................ 39
Follow established network security best practices ................................................. 39
Devices and network ......................................................................................... 40

Siveillance Video 2019 2 SI SSP SH LPS COS Video

 Devices - basic steps ........................................................................................ 40
Use strong passwords instead of default passwords ................................................ 40
Stop unused services and protocols ..................................................................... 40
Create dedicated user accounts on each device ...................................................... 41
Scanning for devices ........................................................................................ 42
Network - basic steps ........................................................................................ 42
Use secure and trusted networks connection ......................................................... 42
Use a firewall between the VMS and the Internet ..................................................... 43
Connect the camera subnet to the recording server subnet only ................................. 43
Devices - advanced steps ................................................................................... 43
Use Simple Network Management Protocol (SNMPv3) to monitor events ...................... 43
Network - advanced steps .................................................................................. 44
Use secure wireless protocols ............................................................................ 44
Use port-based access control ............................................................................ 44
Run the VMS on a dedicated network .................................................................... 45
Siveillance Video Servers ................................................................................... 45
Basic steps ..................................................................................................... 45
Use physical access controls and monitor the server room ....................................... 45
Use encrypted communication channels ............................................................... 45

Advanced steps .............................................................................. 46

Run services with service accounts ..................................................................... 46
Run components on dedicated virtual or physical servers ......................................... 46
Restrict the use of removable media on computers and servers ................................. 46
Use individual administrator accounts for better auditing .......................................... 47
Use subnets or VLANs to limit server access ......................................................... 47
Enable only the ports used by Event Server ........................................................... 47

SQL Server .................................................................................... 47

Connection to the database ............................................................... 47

Run the SQL Server database on a separate server .................................................. 48

Encrypt Connection to SQL Server ...................................................... 48

SQL Hardening ............................................................................... 48

Insecure SMB service ........................................................................................ 52

Siveillance Video 2019 3 SI SSP SH LPS COS Video

 Management Server ......................................................................... 53
Adjust the token time-out ................................................................................... 53
Enable only the ports used by the management server ............................................. 53
Disable non-secure protocols ............................................................................. 53
Recording Server ............................................................................................. 54
Use separate network interface cards ................................................................... 55
Siveillance Video Mobile server component ........................................................... 55
Use a “demilitarized zone” (DMZ) to provide external access ..................................... 56
Disable non-secure protocols ............................................................................. 56
Backup Protection ............................................................................................ 70
Unsupported MSXML version ............................................................................ 101

Annexure 2 .................................................................................. 101

Appendix 2 - Acronyms ............................................................................................105

Siveillance Video 2019 4 SI SSP SH LPS COS Video

 Copyright

Copyright © 2019. Siemens Switzerland Ltd. All rights reserved.

The information contained in this publication is company-proprietary to Siemens Switzerland Ltd. This
publication and related software are provided under a license agreement containing restrictions on use
and disclosure and are also protected by copyright law. Reverse engineering / copying of any Siemens
Switzerland Ltd hardware, software, documentation, or training materials is strictly prohibited.
This publication and related software remain the exclusive property of Siemens Switzerland Ltd. No part
of this publication or related software may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior
written permission from Siemens Switzerland Ltd.
Due to continued product development, the information in this publication and related software may
change without notice. Please report any errors to Siemens Switzerland Ltd in writing. Siemens
Switzerland Ltd does not warrant that this publication or related software is error-free.
Any references to companies or persons are for purposes of illustration only and are not intended to refer
to actual individuals or organizations.

Trademarks
Siveillance™ VMS is a registered trademark of Siemens AG.
All other product or company names mentioned in this document are trademarks or registered
trademarks of their respective owners and are used only for purposes of identification or description.

Contact
If you have questions or suggestions regarding the product or this documentation, please contact our
Siveillance Support Center:

Intranet: Siveillance VMS Intranet

Internet: Siveillance VMS Internet
Email: siveillance.support.industry@siemens.com
SIOS: My Support Portal
Training Courses: Internal Siemens BT Academy International
Training Courses: External Contact your local Siemens product
representative

Siveillance Video 2019 5 SI SSP SH LPS COS Video

Introduction
This guide describes security and physical security measures and best practices that are required to
achieve a minimum level of IT security. For high security requirements, we recommend to do a threat and
risk analysis and to derive additional measures. This includes security considerations for the hardware
and software of servers, clients and network device components of a video surveillance system.
This guide adopts standard security and privacy controls and maps them to each of the
recommendations. That makes this guide a resource for compliance across industry and government
security, and network security requirements. Siemens strongly recommend applying these
suggestions to your installation.

What is “Hardening?”

Developing and implementing security measures and best practices is known as “hardening.”
Hardening is a continuous process of identifying and understanding security risks, and taking
appropriate steps to counter them. The process is dynamic because threats, and the systems they
target, are continuously evolving.
Most of the information in this guide focuses on IT settings and techniques, but it’s important to
remember that physical security is also a vital part of hardening. For example, use physical barriers to
servers and client computers, and make sure that things like camera enclosures, locks, tamper alarms,
and access controls are secure.
The following are the actionable steps for hardening a VMS:
1. Understand the components to protect
2. Harden the surveillance system components:
a. Harden the servers (physical and virtual) and client computers and devices
b. Harden the network
c. Harden the cameras
3. Document and maintain security settings on each system
4. Train and invest in people and skills, including your supply chain

Target audience
Everyone in an organization must understand at least the basics about network and software security.
Attempts to compromise critical IT infrastructure are becoming more frequent, so everyone must take
hardening and security seriously.
This guide provides basic and advanced information for end users, system integrators, consultants,
and component manufacturers.
• Basic descriptions give general insight into security
• Advanced descriptions give IT-specific guidance for hardening Siveillance Video products. In
addition to software, it also describes security considerations for the hardware and device
components of the system

Siveillance Video 2019 6 SI SSP SH LPS COS Video

Resources and references
The following organizations provide resources and information about best practices for security:
• International Standards Organization (ISO)1,
• United States (US) National Institute of Standards and Technology (NIST)
• Security Technical Implementation Guidelines (STIGs) from the US Defense Information
Systems Administration (DISA)
• Center for Internet Security
• SANS Institute
• Cloud Security Alliance (CSA)
• Internet Engineering Task Force (IETF)
• British Standards

Additionally, camera manufacturers provide guidance for their hardware devices. We strongly recommend
applying these guidelines for your system design.

This guide leverages country, international, and industry standards and specifications. In particular, it
refers to the United States Department of Commerce National Institute of Standards and Technology
Special Publication 800-53 Revision 4 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
53r4.pdf) Security and Privacy Controls for Federal Information Systems and Organizations.
Note: The NIST document is written for the US Federal government; however, it is generally accepted in
the security industry as the current set of best practices.
This guide refers and links to additional information about security controls. The guidance can be
crossed-referenced to industry-specific requirements and other international security and risk
management standard and frameworks. For example, the current NIST Cybersecurity Framework uses
SP 800-53 Rev4 as a basis for the controls and guidance. Another example is Appendix H in SP 800-53
Rev 4, which contains a reference to ISO/IEC 15408 requirements, such as Common Criteria.

Hardware and device components

In addition to software, the components of a Siveillance Video installation typically include

hardware devices, such as:
• Cameras
• Encoders
• Networking products
• Storage systems
• Servers and client computers (physical or virtual machines)
• Mobile devices, such as Videophones

It is important to include hardware devices in your efforts to harden your Siveillance Video installation.
For example, cameras often have default passwords. Some manufacturers publish these passwords
online so that they’re easy for customers to find. Unfortunately, that means the passwords are also
available to attackers.
This document provides recommendations for hardware devices.

Siveillance Video 2019 7 SI SSP SH LPS COS Video

1
See Appendix 1 for a list of references and Appendix 2 for a list of acronyms

Cyber threats and cyber risks

There are many sources of threats to a VMS, including business, technology, process and human attacks
or failures. Threat takes place over a lifecycle, as shown in Figure 4. The threat lifecycle, sometimes
called the “cyber kill” or “cyber threat chain,” was developed to describe the stages of advanced cyber
threats.
Each stage of a threat lifecycle takes time. The amount of time for each stage is particular to
the threat, or combination of threats, and its actors and targets.

Figure 1

The threat lifecycle is important for risk assessment because it shows where you can mitigate threats.
The goal is to reduce the number of vulnerabilities, and to address them as early as possible. For
example, discouraging an attacker who is probing a system for vulnerabilities can eliminate a threat.
Hardening puts in place actions that mitigate threats for each phase in the threat lifecycle. For example,
during the reconnaissance phase an attacker scans to find open ports and determine the status of
services that are related to the network and the VMS. To mitigate this, hardening guidance is to close
unnecessary system ports in Siveillance Video and Windows configurations.
The risk and threat assessment process includes the following steps:

Siveillance Video 2019 8 SI SSP SH LPS COS Video

 • Identify information and security risks
• Assess and prioritize risks
• Implement policy, procedures, and technical solutions to mitigate these risks

The overall process of risk and threat assessment, and the implementation of security controls, is
referred to as a risk management framework. This document refers to NIST security and privacy
controls and other publications about risk management frameworks.

Cyber Risk Management Framework

The security and privacy controls in SP 800-53 Revision 4 are part of an overall risk management
framework from NIST. Figures 2 and 3 come from NIST2 document SP800- 39, which is a guide to
applying a risk management framework. SP800-36 is a foundational document for the NIST Cyber
Security Framework 3.
• Figure 2 is an overview of the risk management process. It shows a high-level, overall
approach.
• Figure 3 looks at risk management at a business level, taking strategic and tactical
considerations into account.
• Figure 4 shows the lifecycle of a risk management framework, and the NIST
documents that provides details for each of the steps in the lifecycle.
Security and privacy controls represent specific actions and recommendations to implement as part of
a risk management process. It’s important that the process includes the assessment of the
organization, the particular requirements of a given deployment, and the aggregation of these
activities into a security plan. There are references 4 for detailed security plans.

Figure 2: High-level view of risk management (SP 800-39)

The process is interactive, and responses and their outcomes are iterative. Security threats, risks,
responses and results are dynamic and adapt, and as a result so must a security plan.

Siveillance Video 2019 9 SI SSP SH LPS COS Video

 2
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf pages 8 and 9.
3
http://www.nist.gov/cyberframework/
4
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf

Figure 3: Balancing security and business goals (SP 800-39)

When hardening a system, you balance the impact on business productivity and usability for the
sake of security, and vice versa, in the context of the services you deliver. Security guidance is not
isolated from other business and IT activities.

For example, when a user enters their password incorrectly on three consecutive attempts, the
password is blocked and they cannot access the system. The system is secure from brute-force
attacks, but the unlucky user cannot use the device to do their work. A strong password policy
that requires 30 character passwords and changing passwords every 30 days is a best practice,
but it’s also difficult to use.
Figure 3 shows how a risk management framework considers IT systems, business
processes, and the organization as a whole to find a balance for the security plan.

Siveillance Video 2019 10 SI SSP SH LPS COS Video

 Figure 4: Example of a risk management framework (SP 800-53 Rev 4)
To document its risk management framework, NIST produced multiple special publications (see Figure
4). It includes the following components:
1. Categorization (identification of risk level)
2. Selection of security and privacy controls
3. Implementation
4. Assessment of the effectiveness of security controls
5. Creating an improved system security profile, and what’s called an Authority to Operate
(ATO)
6. Monitoring and evaluating through iterations
The risk management framework helps put a security plan and guidance in a security context.

Siveillance Video 2019 11 SI SSP SH LPS COS Video

Privacy by design

Siemens products are designed to deliver secure, end-to-end communication. Siemens products are
designed to protect privacy and to secure data. Data protection is always important, but especially if you
intend to be General Data Protection Regulation (GDPR) compliant in the EU.

According to GDPR, the controller of personal data, when processing such data, has an obligation to
implement technical or organizational measures which are designed to implement the data protection
principles set out in GDPR. GDPR refers to this as privacy by design.

In the context of a surveillance camera, a relevant example of privacy by design would be a feature that
digitally allows the user to restrict image capture to a certain perimeter, preventing the camera from
capturing any imagery outside this perimeter that would otherwise be captured.

In Siveillance Video, there is support for privacy masking in two forms – permanent masks that cannot be
removed, and liftable masks that (with the right permissions) can be lifted to reveal the image behind the
mask. The controller also has an obligation to implement technical or organizational measures which by
default ensure the least privacy intrusive processing of the personal data in question.

GDPR refers to this as privacy by default. In the context of a camera, a relevant example of privacy by
default could be using privacy masking to keep a sensitive area within the view of the camera private.

What should you do to ensure privacy by design?

• Consider the resolution of different points in the camera scene and document these settings

Different purposes require different image qualities. When identification is not necessary, the
camera resolution and other modifiable factors should be chosen to ensure that no recognizable
facial images are captured.

• Encrypt your recordings

Siemens recommends that you secure your recordings by enabling at least Light encryption on
your recording servers' storage and archives. Siveillance Video uses the AES-256 algorithm for
encryption. When you select Light encryption, only a part of the recording is encrypted. When you
select Strong encryption, the entire recording is encrypted.

• Secure the network

Siemens recommends that you select cameras that support HTTPS. It is recommended that you
set the cameras on separate VLANs and use HTTPS for your camera to recording server
communication.
It is recommended that Siveillance Video Clients and Siveillance Video Monitor Walls are on the
same VLAN as the servers.
Use a VPN encrypted network or similar if using Video Client or Monitor Wall from a remote
location.

• Enable and document the intended retention time

According to Article 4(1)(e) of the GDPR, recordings must not be retained longer than necessary
for the specific purposes for which they were made. Siemens recommends that you set the
retention time according to regional laws and requirements, and in any case, to set the retention
time to a maximum of 30 days.

• Secure exports
Siemens recommends that you only allow access to export functionality for a select set of users
that need this permission.
Siemens also recommends that the Video Client profile is changed to only allow export in

Siveillance Video 2019 12 SI SSP SH LPS COS Video

 Siveillance Video Format with encryption enabled. AVI and JPEG exports should not be allowed,
because they can not be made secure. This makes export of any evidence material password
protected, encrypted and digitally signed, making sure forensic material is genuine, untampered
with and viewed by the authorized receiver only.

• Enable privacy masking – permanent or liftable

Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.
Siemens recommends that you set a liftable blurring mask for sensitive areas and in places where
person identification is not allowed. Create then a second role that can authorize the mask to be
lifted.

• Restrict access rights with roles

Apply the principle of least privilege (PoLP).
Siemens recommends that you only allow access to functionality for a select set of users that need
this permission. By default, only the system administrator can access the system and perform tasks.
All new roles and users that are created have no access to any functions until they are deliberately
configured by an administrator.

Set up permissions for all functionality, including: viewing live video and recordings, listening to
audio, accessing metadata, controlling PTZ cameras, accessing and configuring Monitor Wall, lifting
privacy masks, working with exports, saving snapshots, and so on.

Grant access to only the cameras that the specific operator needs to access, and restrict access to
recorded video, audio, and metadata for operators, either completely, or grant access to only the
video, audio, or metadata recorded in the past few hours or less.

Regularly assess and review roles and responsibilities for operators, investigators, system
administrators and others with access to the system. Does the principle of least privilege still apply?

• Enable and use two-step verification

Siemens recommends that you specify an additional login step for users of Siveillance Video Mobile
or Siveillance Video Web Client by enabling two-step verification.

• Restrict administrator permissions

Siemens recommends that you limit the number of users that have an Administrator role. If you
need to create multiple Administrator roles, you can restrict their access by creating Administrator
roles that can manage only select parts of the system, such as certain devices or functions.

Siemens also recommends that the VMS administrator does not have full administrator rights on
the storage that contains recorded video, and the storage administrator should not have access to
the VMS or backup administration. For security, segment the network so there is a
client/management network, and camera networks behind the recording servers:

Hardening system components

To harden system components, you change configurations to reduce the risk of a successful attack.
Attackers look for a way in, and look for vulnerabilities in exposed parts of the system. Surveillance
systems can involve 100s or even 1000s of components. Failure to secure any one component can
compromise the system.

The need to maintain configuration information is sometimes overlooked. Siveillance Video provides
features for managing configurations, but organizations must have a policy and process in place, and
commit to doing the work.

Siveillance Video 2019 13 SI SSP SH LPS COS Video

Hardening requires that you keep your knowledge about security up-to-date:
• Be aware of issues that affect software and hardware, including operating systems, mobile
devices, cameras, storage devices, and network devices. Establish a point-of-contact for all of
the components in the system. Ideally, use reporting procedures to track bugs and
vulnerabilities for all components.
• Keep current on Common Vulnerabilities and Exposures (CVEs)5 for all system components.
These can relate to the operating systems, devices that have hard- coded maintenance
passwords, and so on. Address vulnerabilities for each component, and alert manufacturers to
vulnerabilities.
• Review Siveillance Video Knowledge Base (KB) articles, and regularly review logs for
signs of suspicious activity(https://support.industry.siemens.com/cs/start?lc=en-WW).
• Maintain up-to-date configuration and system documentation for the system. Use change-control
procedures for the work you perform, and follow best practices for configuration management6.
The following sections provide basic and advanced hardening and security recommendations for each
system component. The sections also contain examples of how these relate to specific security controls
described in the NIST Special Publication 800-53 Revision 4, titled Security and Privacy Controls for
Federal Information Systems and Organizations.
In addition to the NIST document, the following sources are referenced:
• Center for Internet Security
• SP 800-53

• ISO 27001

• ISO/IEC 15408 (also known as Common Criteria7).

Appendix 1 - Resources in this document provides recommendations from camera manufacturers. This is
a relatively new effort from manufacturers, so limited resources are available. For the most part, the
recommendations can be generalized across camera manufacturers.

5
https://cve.mitre.org/
6
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf
7
http://www.iso.org/iso/catalogue_detail.htm?csnumber=50341

General setup

To help secure your surveillance system, Siemens recommends the following:

• Restrict access to servers. Keep servers in locked rooms, and make it difficult for intruders to
access network and power cables.8
• Design a network infrastructure that uses physical network or VLAN
segmentation9 as much as possible:
o Separate the camera network from the server network by having two network
interfaces in each recording server. One for the camera network, and one for the
server network.

o Put the mobile server in a “demilitarized zone” (DMZ)10 with one network interface

Siveillance Video 2019 14 SI SSP SH LPS COS Video

 for public access, and one for private communication to other servers.
o Many precautions can be taken when it comes to general set up. In addition to
firewalls11, these include techniques to segment the network and control access to
the servers, clients and applications.

o Separate the VMS server network from the office network by isolating to its own
network zone. Configure the firewalls and VLANs to allow only required and
specified traffic.

o Secure the communication between all Siveillance Video servers by applying a

server-to-server IPSec layer.

• Configure the VMS with roles that control access to the system, and designate tasks and
responsibilities.12

Figure 5 shows an example of a general setup.

Figure 5

8
PE-2 and PE-3 in Appendices D and F in NIST 800-53 Rev4 (PE stands for Physical and Environment
Protection)
9
SC-3 in Appendices D and F in NIST 800-53 Rev4 (SC stands for System and
Communication Protection)
10
SC-7 in Appendices D and F NIST 800-53 Rev4

Siveillance Video 2019 15 SI SSP SH LPS COS Video

 11 AC-3, AC-4, AC-6, CA-3, CM-3, CM-6, CM-7, IR-4, SA-9, SC-7, SC-28, SI-3, SI-8 in
Appendices D and F in NIST 800-53 Rev4 (AC stands for Access Controls), (CM stands for Configuration
Management) (IR stands for Incident Response) (SA stands for System and Service Acquisition) (SI
stands for Systems and Information Integrity)
12 AC-2, AC-3, AC-6, AC-16, AC-25, AU-6, AU-9, CM-5, CM-11, IA-5, PL-8, PS-5, PS-7,
SC-2, SI-7, in Appendices D and F in NIST 800-53 Rev4 (AU stands for Audit and Accountability), (IA
stands for Identification and Authentication), (PL stands for Planning).

Servers, Workstations, Clients and Applications

This section provides hardening guidance based on Microsoft Windows and the services that Siveillance
Video uses. This includes:
• The Siveillance Video product running on Windows Servers
• The device pack installed on the recording servers
• The server hardware or virtual platforms, and operating systems and services
• The client computers for Siveillance Video Client and Siveillance Video Web Client
• Mobile devices and their operating systems and applications

Basic steps

Establish surveillance and security objectives

Before implementing the Siveillance Video, Siemens recommends that you establish surveillance
objectives. Define goals and expectations related to capturing and using video data and related
metadata. All stakeholders should understand the surveillance objectives. 13
When surveillance objectives are in place, you can establish the security objectives. Security
objectives support the surveillance objectives by addressing what to protect in the VMS. A shared
understanding of security objectives makes it is easier to secure the VMS and maintain data integrity.
With the surveillance and security objectives in place, you can more easily address the operational
aspects of securing the VMS, such as how to:
• Prevent data from being compromised
• Respond to threats and incidents when they occur, including roles and
responsibilities.

Establish surveillance and security objectives

• Ensure that all Siveillance Video components are time synchronized. Siemens recommends
using network time server.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 PL-2 System Security Plan

Siveillance Video 2019 16 SI SSP SH LPS COS Video

 • NIST SP 800-53 SA-4 Acquisition Process

13
Specifics of surveillance objectives can be found in other documents, for example “BS EN 62676-1-
1: Video surveillance systems for use in security applications. System requirements. General”.

Establish a formal security policy and response plan

Siemens recommends that you establish a formal security policy14 and a response plan that describe
how your organization addresses security issues, in terms of practical procedures and guidelines. For
example, a security policy can include:
• A password policy defined by the internal IT department
• Access control with ID badges
• Prevent Videophones from connecting to the network
Adopt existing IT policies and plans if they adhere to security best practices.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 IR-1 Incident Response Policy and Procedures
• NIST SP 800-53 PM-1 Information Security Program Plan

Use Windows users with Active Directory

There are two types of users in Siveillance Video:
• Basic user: a dedicated VMS user account authenticated by a combination of username and
password using a password policy. Basic users connect to the VMS using a secure socket
layer (SSL) with current Transport Layer (TLS)15 security protocol session for login,
encrypting the traffic contents and username and password. The use of basic users is only
appropriate for systems with low or very low security requirements. Even in cases with such
low requirements, Siemens recommends that a threat and risk analysis in conducted before
basic users are used. Siemens recommends to use Windows users instead.
Windows user: The user account is specific to a machine or a domain, and it is authenticated
based on the Windows login. Windows users connecting to the VMS can use Microsoft Windows
Challenge/Response (NTML) for login, Kerberos (see "About Kerberos authentication"), or other
SSP options from Microsoft (https://msdn.microsoft.com/en-
us/library/windows/desktop/aa380502(v=vs.85).aspx).
Siemens strongly recommends that you use only Windows users in combination with Active Directory.
to authorize access to the VMS. This allows you to enforce:

• A password policy that requires users to change their password regularly.

• Brute force protection, so that the Windows AD account is blocked after a number of failed
authentication attempts, again in line with the organization password policy.
• Multi-factor authentication in the VMS, particularly for administrators.
• Role-based permissions, so you can apply access controls across your domain.

Siveillance Video 2019 17 SI SSP SH LPS COS Video

 • Reference to Secured password policy setting guidelines.
If your organization does not use AD, you can add Windows users to workgroups on the management
server instead. Workgroups give you some of the same advantages as Windows users with AD. You can
enforce a password policy, which helps protect against brute force attacks, but Siemens recommends that
you use a Windows Domain because this gives you central control over user accounts.

Windows users have the advantage of being authenticated via the directory as a single authoritative
source and enterprise service for the network and not ad hoc for their local machine. This lets you use role
based access controls to assign permissions to users and groups consistently across the domain and the
computers on the network.
If you use local Windows users, the user must create a local user name and password on each machine,
which is problematic from security and usability perspectives.
To add Windows users or groups to roles in Management Client, follow these steps

1. Open Management Client.

2. Expand the Security node.

Siveillance Video 2019 18 SI SSP SH LPS COS Video

3. Select the role to which you want to add the Windows users.

4. On the Users and Groups tab, click Add, and select Windows user. A pop-up window appears.

5. If the domain name does not appear in the from this location field, click Locations.

6. Specify the Windows user, and then click OK.

To verify that the Windows user is an AD user, the domain name must appear as a prefix, for example
"Domain\John".

Learn more

The following control(s) provide additional guidance:

NIST SP 800-53 CM-6 Configuration Settings

Siveillance Video 2019 19 SI SSP SH LPS COS Video

 NIST SP 800-53 SA-5 Information System Documentation

NIST SP 800-53 SA-13 Trustworthiness

Secure Communication (Explained)

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP)
for secure communication over a computer network. In HTTPS, the communication protocol is encrypted
using Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).

In Siveillance Video, the secure communication is obtained by using SSL/TLS with asymmetric encryption
(RSA).

SSL/TLS uses a pair of keys—one private, one public—to authenticate, secure, and manage secure
connections.

A certificate authority (CA) can issue certificates to web services on servers using a CA certificate. This
certificate contains two keys, a private key and public key. The public key is installed on the clients of a
web service (service clients) by installing a public certificate. The private key is used for signing server
certificates that must be installed on the server. Whenever a service client calls the web service, the web
service sends the server certificate including the public key to the client. The service client can validate the
server certificate using the already installed public CA certificate. The client and the server can now use
the public and private server certificate to exchange a secret key and thereby establish a secure SSL/TLS
connection.
For more information about TLS: https://en.wikipedia.org/wiki/Transport_Layer_Security

Note: Certificates have an expiry date. Siveillance Video will not warn you when a certificate is about
to expire. If a certificate expires:
- The clients will no longer trust the recording server with the expired certificate and thus
cannot communicate with it.
- The recording servers will no longer trust the management server with the expired
certificate and thus cannot communicate with it.
- The mobile devices will no longer trust the mobile server with the expired certificate and
thus cannot communicate with it.
To renew the certificates, follow the steps in this guide as you did when you created
certificates.

When you renew a certificate with the same subject name and add it to the Windows Certificate Store, the
servers will automatically pick up the new certificate. This makes it easier to renew certificates for many
servers without having to re-select the certificate for each server and without restarting the services

Management server encryption (explained)

You can encrypt the two-way connection between the management server and the recording server.
When you enable encryption on the management server, it applies to connections from all the recording
servers that connect to the management server. Therefore, you need to enable encryption on all the
recording servers. Before you enable encryption, you must install security certificates on the management
server and all recording servers.

Certificate distribution for management servers

The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in
Siveillance Video to secure the communication to the management server

Siveillance Video 2019 20 SI SSP SH LPS COS Video

 • A CA certificate acts as a trusted third party, trusted by both the Subject/owner (management
server) and by the party that verify the certificate (recording servers)
• The public CA certificate must be trusted on all recording servers. In this way the recording
servers can verify the validity of the certificates issued by the CA
• The CA certificate is used to issue private server authentication certificates to the management
server
• The created private management server certificates must be imported to the Windows Certificate
Store

Requirements for the private management server certificate:

• Issued to the management server so that the management server's host name is included in the
certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to
• Trusted on all recording servers connected to the management server, by trusting the CA
certificate that was used to issue the management server certificate
• The service account that runs the Management Server service must have access to the private
key of the certificate on the management server

Recording server data encryption (explained)

Encryption to clients and servers that retrieve data from the recording server
When you enable encryption on a recording server, communication to all clients, servers, and integrations
that retrieve data streams from the recording server are encrypted. In this document referred to as 'clients':

• Siveillance Video Client

• Management Client
• Management Server (for System Monitor and for images and AVI video clips in email notifications)
• Siveillance Video Mobile Server

Siveillance Video 2019 21 SI SSP SH LPS COS Video

 • Siveillance Video Event Server
• Siveillance Video LPR
• ONVIF Bridge
• Siveillance Video DLNA Server
• Sites that retrieve data streams from the recording server through VMS Interconnect
• Some third-party MIP SDK integrations

Note: For solutions built with MIP SDK 2018 R3 or earlier that accesses recording servers: If the
integrations are made using MIP SDK libraries, they need to be rebuild with MIP SDK 2019
R1; if the integrations communicate directly with the Recording Server APIs without using
MIP SDK libraries, the integrators have to add HTTPS support themselves.

Certificate distribution
The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in
Siveillance Video to secure the communication to the recording server

• A CA certificate acts as a trusted third-party, trusted by both the Subject/owner (recording server)
and by the party that verify the certificate (clients)
• The public CA certificate must be trusted on all client computers. In this way the clients can verify
the validity of the certificates issued by the CA
• The CA certificate is used to issue private server authentication certificates to the recording
servers
• The created private recording server certificates must be imported to the Windows Certificate
Store on all recording servers

Requirements for the private recording server certificate:

• Issued to the recording server so that the recording server's host name is included in the
certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to
• Trusted on all computers running services that retrieve data streams from the recording servers,
by trusting the CA certificate that was used to issue the recording server certificate
• The service account that runs the recording server must have access to the private key of the
certificate on the recording server.

Siveillance Video 2019 22 SI SSP SH LPS COS Video

 Note: If you enable encryption on the recording servers and your system applies failover
recording servers, Siemens recommends that you also prepare the failover recording
servers for encryption.

Encryption from the management server

You can encrypt the two-way connection between the management server and the recording server.
When you enable encryption on the management server, it applies to connections from all the recording
servers that connect to the management server. Therefore, you need to enable encryption on all the
recording servers. Before you enable encryption, you must install security certificates on the management
server and all recording servers.

Certificate distribution
The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in
Siveillance Video to secure the communication from the management server.

• A CA certificate acts as a trusted third party, trusted by both the Subject/owner (recording server)
and by the party that verify the certificate (management server)
• The public CA certificate must be trusted on the management server. In this way the management
server can verify the validity of the certificates issued by the CA
• The CA certificate is used to issue private server authentication certificates to the recording
servers
• The created private recording server certificates must be imported to the Windows Certificate
Store on the management server

Requirements for the private recording server certificate:

• Issued to the recording server so that the recording server's host name is included in the
certificate, either as subject (owner) or in the list of DNS names that the certificate is issued to

Siveillance Video 2019 23 SI SSP SH LPS COS Video

 • Trusted on the management server, by trusting the CA certificate that was used to issue the
recording server certificate
• The service account that runs the recording server must have access to the private key of the
certificate on the recording server.

Mobile server data encryption (explained)

In Siveillance Video, encryption is enabled or disabled per mobile server. When you enable encryption on
a mobile server, you will have the option to use encrypted communication with all clients, services, and
integrations that retrieve data streams

Certificate distribution for mobile servers

The graphic illustrates the basic concept of how certificates are signed, trusted, and distributed in
Siveillance Video to secure the communication with the mobile server.

• A CA certificate acts as a trusted third party, trusted by both the subject/owner (mobile server) and
by the party that verifies the certificate (all clients)
• The CA certificate must be trusted on all clients. In this way clients can verify the validity of the
certificates issued by the CA
• The CA certificate is used to establish secure connection between the mobile server and clients
and services
• The CA certificate must be installed on the computer on which the mobile server is running

Requirements for the CA certificate:

• The mobile server's host name must be included in the certificate, either as subject/owner or in
the list of DNS names that the certificate is issued to
• The certificate must be trusted on all devices that are running services that retrieve data streams
from the mobile server

Siveillance Video 2019 24 SI SSP SH LPS COS Video

 • The service account that runs the mobile server must have access to the private key of the CA
certificate

About Kerberos authentication

Kerberos is a ticket-based network authentication protocol. It is designed to provide strong authentication

for client/server or server/server applications.

Use Kerberos authentication as an alternative to the older Microsoft NT LAN (NTLM) authentication
protocol.

Kerberos authentication requires mutual authentication, where the client authenticates to the service and
the service authenticates to the client. This way you can authenticate more securely from Siveillance
Video clients to Siveillance Video servers without exposing your password.
To make mutual authentication possible in your Siveillance Video management software you must register
Service Principal Names (SPN) in the active directory. An SPN is an alias that uniquely identifies an entity
such as a VMS server service. Every service that uses mutual authentication must have an SPN
registered so that clients can identify the service on the network. Without correctly registered SPNs,
mutual authentication is not possible.

The table below lists the different Siveillance Video services with corresponding port numbers you need to
register:

Service Port number

Management server - IIS 80 - Configurable
Management server - 8080
Internal
Recording server - Data Collector 7609
Failover Server 8990

Event Server 22331

LPR Server 22334

The number of services you need to register in the active directory depends on your current installation.
Data Collector is installed automatically when installing Management Server, Recording Server, Event
Server, LPR Server or Failover Server.

You must register two SPNs for the user running the service: one with the hostname and one with the fully
qualified domain name.

If you are running the service under a network user service account, you must register the two SPNs for
each computer running this service.

This is the Siveillance Video SPN naming scheme: VideoOS/[DNS Host Name]:[Port] VideoOS/[Fully
qualified domain name]:[Port]

The following is an example of SPNs for the recording server service running on a computer with the
following details: Hostname: Record-Server1 Domain: Surveillance.com
SPNs to register: VideoOS/Record-Server1:7609 VideoOS/Record-Server1.Surveillance.com:7609

Siveillance Video 2019 25 SI SSP SH LPS COS Video

Use Windows update

Siemens recommends that you use Windows Update to protect your VMS against vulnerabilities in the
operating system by making sure that the latest updates are installed. Siveillance Video is Windows-
based, so security updates from Windows Update are important.
Updates can require a connection to the Internet, so Siemens recommends that this connection is open
only as required, and that it is monitored for unusual traffic patterns.
Windows Updates often require a restart. This can be a problem if high-availability is required, because
the server cannot receive data from devices while it restarts.
There are several ways to avoid this, or minimize the impact. For example, you can download updates
to the server, and then apply them at a time when a restart will disrupt surveillance as little as possible.
If high availability is a concern, Siemens recommends that you run management server and event
servers in clusters that include one or more failover servers. The failover server will take over while the
recording server restarts, and surveillance is not interrupted. Do not include recording servers in the
cluster. For recording servers, use a failover recording server.
Note: Before implementing Windows updates across the organization, Siemens recommends that you
verify the updates in a test environment.17
Learn more
The following control(s) provide additional guidance:
NIST SP 800-53 SI-2 FLAW REMEDIATION

Keep software and device firmware updated

Siemens recommends that you use the latest version of Siveillance Video and firmware for the hardware
devices, for example the cameras. This will ensure that your system includes the latest security fixes.
For hardware, network components, and operating systems, check the CVE database18 as well as any
updates pushed out by manufacturers.
Before you upgrade the device firmware, verify that Siveillance Video supports it. Also, make sure that
the device pack installed on the recording servers supports the device firmware.
Do this in a test environment for configuration, integration and testing before putting it into the production
environment.

14
NIST 800-53 CM-8 Information system component inventory and sandboxing and SC- 44
Detonation Chambers
15
https://cve.mitre.org/

To verify that the VMS supports a device, follow these steps:

1. Open this link: https://siveillancevmstools.siemens.com/SHW
2. Click the link that matches your Siveillance Video product.
3. In the Device pack column, select the version of the current device pack.
4. Select the manufacturer of your device, and then click Filter. The version of the firmware

Siveillance Video 2019 26 SI SSP SH LPS COS Video

 that the device pack supports is listed in the Tested Firmware column.

Figure 7
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SI-2 FLAW REMEDIATION

How to configure IPSEC

Please refer to the Annexure in the guide "How to configure IPSec ". (Refer page number: 58)

Use secure and trusted networks connection

Network communications must be secure, whether or not you are on a closed network. By default,
secure communications should be used when accessing the VMS. For example:
• VPN tunnels or HTTPS by default

Latest version of the Transport Layer Security19 (TLS, currently 1.2) with valid certificates that meet
industry best practices.( Latest version of the Transport Layer Security
(https://datatracker.ietf.org/wg/tls/charter/) (TLS, currently
1.2) with valid certificates that meet industry best practices, such as from Public-Key Infrastructure
(X.509) (https://datatracker.ietf.org/wg/ipsec/documents/) and CA/Browser Forum (https://cabforum.org/).
Otherwise, credentials may be compromised and intruders might use them to access the VMS.
Configure the network to allow client computers to establish secure HTTPS sessions, or VPN tunnels

Siveillance Video 2019 27 SI SSP SH LPS COS Video

between the client devices and the VMS servers.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SI-2 FLAW REMEDIATION
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 SC-23 Session Authenticity

16
https://datatracker.ietf.org/wg/tls/charter/
17
https://datatracker.ietf.org/wg/pkix/documents/, https://cabforum.org/

Use firewalls to limit IP access to servers and computers

Siemens recommends that you use secure connections, and the following additional steps:
• Use secure device authentication
• Use TLS
• Use device and IPSec white listing to authenticate devices
• Use firewalls to limit network communication between servers and client
computers and programs.
These approaches permit only the necessary traffic, and block unauthorized connections and associated
traffic. To work, the solutions must be configured and implemented properly. For example, to ensure that
the firewall blocks only unwanted traffic, you need to specify the ports that the VMS servers use.
The following table lists the ports that Siveillance Video uses. You should only enable these ports
on the affected machines. Additionally, you should only communicate between machines
according to your system design.
Port Protocol Process Connections Purpose
number from…
80 HTTP IIS All Siveillance Video Main communication, for
Components example, authentication and
configurations.

443 HTTPS IIS Siveillance Video Authentication of basic users.

Client and the
Management
Client

6473 TCP Management Management Showing status and managing

Server service Server tray the service.
controller, local
connection only.

Siveillance Video 2019 28 SI SSP SH LPS COS Video

 7475 TCP Management Windows SNMP Communication with the
Server service Service SNMP extension agent.
Do not use the port for other
purposes even if your system
does not apply SNMP.
In Siveillance Video 2014
systems or older, the port
number was 6475.
8080 TCP Management Local connection Communication between
Server only. internal processes on the
server.
9993 TCP Management Recording Server Authentication, configuration,
Server Service services token exchange.

12345 TCP Management Siveillance Video Communication between the

Server Service Client system and Matrix recipients.
You can change the port
number in the Management
Client.

12974 TCP Management Windows SNMP Communication with the

Server Service Service SNMP extension agent.
Do not use the port for
other purposes even if your
system does not apply
SNMP.
In Siveillance Video 2017
systems or
older, the port number was
6475.
In Siveillance Video 2019 R2
systems
and older, the port number
was 7475.

SQL Server Service

Port Protocol Process Connections Purpose

number from…
1433 TCP SQL Server Management Storing and retrieving
Server configurations.
service
1433 TCP SQL Server Event Server Storing and retrieving events.
service
1433 TCP SQL Server Log Server service Storing and retrieving log
entries.

Data Collector Service

Siveillance Video 2019 29 SI SSP SH LPS COS Video

 Port Protocol Process Connections Purpose
number from…
7609 HTTP IIS On the System Monitor
Management
Server computer:
Data
Collector services
on all other servers.
On other
computers: Data
Collector service on
the Management
Server.

Event Server Service

Port Protocol Process Connections Purpose

number from…
1234 TCP/UDP Event Server Any server sending Listening for generic events
Service generic events to from external systems or
your devices. Only if the relevant
Siveillance Video data
system. source is enabled.

1235 TCP Event Server Any server sending Listening for generic events
Service generic events to from external systems or
your devices. Only if the relevant
Siveillance Video data
system. source is enabled.

9090 TCP Event Server Any system or Listening for analytics events
Service device from external systems or
that sends analytics devices.
events to your Only relevant if the Analytics
Siveillance Video Events feature is enabled.
system.
22331 TCP Event Server Siveillance Video Configuration, events, alarms,
Service Client and map data.
and the
Management Client

22333 TCP Event Server MIP Plug-ins and MIP messaging.

Service applications.

Siveillance Video 2019 30 SI SSP SH LPS COS Video

Recording Server Service

Port Protocol Process Connections Purpose

number from…
25 SMTP Recording Cameras, Encoders Listening for event messages
Server Service and I/O devices from devices. The port is
disabled per default.
5210 TCP Recording Failover Recording Merging of databases after a
Server Service Servers failover recording server had
been running.
5432 TCP Recording Cameras, Encoders Listening for event messages
Server Service and I/O devices from devices.

7563 TCP Recording Siveillance Video Retrieving video and audio

Server Service Client, Management streams, PTZ commands.
Client
8966 TCP Recording Recording Server Showing status and managing
Server Service tray the service.
controller, local
connection only.
9001 HTTP Recording Management Web service for internal
Server Service Server communication between
servers.
If multiple Recording Server
instances are in use, every
instance needs its own port.
Additional ports will be 9002,
9003, etc
11000 TCP Recording Failover recording Polling the state of recording
Server Service servers servers.

12975 TCP Recording Windows SNMP Communication with the

Server Service Service SNMP extension agent.
Do not use the port for other
purposes even if your system
does not apply SNMP.
In Siveillance Video 2017
systems or older,
the port number was 6474.
In Siveillance Video 2019 R2
systems and older, the port
number was 7474.
65101 UDP Recording Local Connection Listening for event
Server Service only notifications from the drivers.

Siveillance Video 2019 31 SI SSP SH LPS COS Video

Failover Server service and Failover Recording Server service

Port Protocol Process Connections Purpose

number from…
25 SMTP Recording Cameras, encoders, Listening for event messages
Server service and I/O devices. from devices. The port is
disabled per default.
5210 TCP Recording Failover recording Merging of databases after a
Server service servers failover recording server had
been running.
5432 TCP Recording Cameras, encoders, Listening for event messages
Server service and I/O devices. from devices.

7474 TCP Recording Windows SNMP Communication with the

Server service service SNMP extension agent. Do
not use the port for other
purposes even if your system
does not apply SNMP.

7563 TCP Recording VMS Video Client Retrieving video and audio
Server service streams, PTZ commands.
8844 UDP Failover Local connection Communication between the
Recording only. servers.
Servers
8966 TCP Failover Failover Recording Showing status and managing
Recording Server tray the service.
Server Service controller,
local connection
only.
8967 TCP Failover Server Failover Server tray Showing status and managing
Service controller, local the service.
connection only.

8990 TCP Failover Server Management Monitoring the status of the

Service Server Failover Server service.
service
9001 HTTP Failover Server Management Web server for internal
Service Server communication between
servers

Mobile Server service

Port Protocol Process Connections Purpose

number from…
8000 TCP Mobile Server Mobile Server SysTray application.
Service management (tray
icon), local
connection only.

Siveillance Video 2019 32 SI SSP SH LPS COS Video

 8081 HTTP Mobile Server Mobile clients, Web Sending data streams; video
Service clients, and and audio.
Management Client.
8082 HTTPS Mobile Server Mobile clients and Sending data streams; video
Service Web clients. and audio.

LPR Server service

Port Protocol Process Connections Purpose

number from…
22334 TCP LPR Server Event server Retrieving recognized license
Service plates and server status. In
order to connect, the Event
server must have the LPR
plug-in installed.

22334 TCP LPR Server LPR Server SysTray application.

Service management (tray
icon), local
connection
only.

Screen Recorder service

Port Protocol Process Connections Purpose

number from…
52111 TCP Siveillance Video Recording Server Provides video from a
Screen Recorder Service monitor. It appears and acts
in the same way as a camera
on the recording server.
You can change the port
number in the Management
Client.

Siveillance Video ONVIF Bridge

Port Protocol Process Connections Purpose

number from…
580 TCP ONVIF Bridge ONVIF Clients Authentication and requests
Service for video stream configuration.

554 RTSP RTSP Server ONVIF Clients Streaming of requested video

to ONVIF clients.

Siveillance Video 2019 33 SI SSP SH LPS COS Video

Cameras, encoders, and I/O devices
Inbound connections
Port Protocol Connections Purpose
number to…
80 TCP Recording Authentication,
servers and configuration,
failover recording and data streams;
servers video and audio.

443 HTTPS Recording Authentication,

servers and configuration,
failover recording and data streams;
servers video and audio.

554 RTSP Recording Data streams; video

servers and and
failover recording audio.
servers

Outbound connections
Port Protocol Connections Purpose
number to…
25 SMTP Recording Sending event
servers and notifications
failover recording (deprecated).
servers

5432 TCP Recording Sending event

servers and notifications.
failover recording
servers

Client components (outbound connections)

Siveillance Video Client, Siveillance Video Management Client, Siveillance Video Mobile server

Port Protocol Connections Purpose

number to…
80 HTTP Management Authentication
server service
443 HTTPS Management Authentication of
server service basic users

Siveillance Video 2019 34 SI SSP SH LPS COS Video

 7563 TCP Recording server Retrieving video
service and audio streams,
PTZ commands.

22331 TCP Event Server Alarms

service

Web Client, Siveillance Video Mobile client

Port Protocol Connections Purpose

number to…
8081 HTTP Siveillance Video Retrieving video
Mobile Server and audio streams
8082 HTTPS Siveillance Video Retrieving video
Mobile Server and audio streams

Unless otherwise specified, the ports are both inbound and outbound. The port numbers are the default
numbers. You can change some of the port numbers, if needed.
If you need to change ports that are not configurable in Management Client, contact Siveillance
Video Support.
Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 CA-3 System Interconnections
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 SC-7 Boundary Protection

Use antivirus on all servers and computers

Siemens recommends that you deploy anti-virus software on all servers and computers that connect to
the VMS. Malware that gets inside your system can lock, encrypt, or otherwise compromise data on the
servers and other devices on the network. It is recommended that the anti-virus software is updated on
a regular basis. Also, refer to the Siveillance Video Admin Manual for details related to anti-virus
scanning.

If mobile devices connect to the VMS, this includes ensuring that the devices have the latest
operating systems and patches (though not directly anti-virus) installed.

When you do virus scanning, do not scan recording server directories and subdirectories that contain
recording databases. In addition, do not scan for viruses on archive storage directories. Scanning for
viruses on these directories can impact system performance.

For information about the ports, directories, and subdirectories to exclude from the virus scan, see the

Siveillance Video 2019 35 SI SSP SH LPS COS Video

section “About virus scanning” in the Siveillance Video Administrator Guide.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 PL-8 Information Security Architecture
• NIST SP 800-53 SI-2 Flaw remediation
• NIST SP 800-53 SI-3 Malicious Code Protection
• NIST SP 800-53 SI Information Systems Monitoring

Monitor logs in the VMS for signs of suspicious activity

Siveillance Video provides features for generating and viewing logs that provide information about
patterns of use, system performance, and other issues. Siemens recommends that you monitor the logs
for signs of suspicious activities.

There are tools21 that leverage logs for operational and security purposes.

Siemens recommends that you use the Audit Log in Siveillance Video and enable user access logging in
Management Client. By default, the Audit Log notes only user logins. However, you can turn on user
access logging so that the Audit Log notes all user activities in all of the client components of Siveillance
Video products. This includes the times of the activities and the source IP addresses.

The client components are Siveillance Video Client, Web Client, the Siveillance Video Mobile client
component, and integrations made by using the MIP SDK. Examples of activities are exports, activating
outputs, viewing cameras live or in playback, and so on.

Note: The Audit log does not note unsuccessful login attempts, or when the user logs out.

Logging all user activities in all clients increases the load on the system, and can affect performance.

You can adjust the load by specifying the following criteria that controls when the system will generate a
log entry:

• The number of seconds that comprise one sequence. The VMS generates one log entry when
a user plays video within the sequence.
• The number of frames that a user must view when playing back video before the
VMS generates a log entry.

To turn on and configure extended user access logging, follow these steps:

1. In Management Client, click Tools, and select Options.

2. On the Server Logs tab, under Log settings, select Audit Log.
3. Under Settings, select the Enable user access logging check box.
4. Optional: To specify limitations for the information that is noted, and reduce impact on
performance, make selections in the Playback sequence logging
length and Records seen before logging fields.

To view the Audit Log in Siveillance Video, follow these steps:

Siveillance Video 2019 36 SI SSP SH LPS COS Video

 1. Open Management Client.
2. Expand the Server Logs node.

18
Many businesses use syslog servers to consolidate logs. You can use syslog to note activities at a
Windows level, however, Siveillance Video Advanced VMS does not support syslog

3. Click Audit Log.

Figure 8
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AU-3 Content of Audit Records
• NIST SP 800-53 RA-5 Vulnerability Scanning
• NIST SP 800-53 AU-6 Audit Review, Analysis and Reporting

Advanced steps

Siveillance Video 2019 37 SI SSP SH LPS COS Video

Adopt standards for secure network and VMS implementations
Siemens recommends that you adopt standards for secure networking and Siveillance Video
implementations. The use of standards is a basic component of Internet and network
engineering, and the basis of interoperability and system conformance. This also applies to the
use of cryptographic solutions, where standards-based cryptography is the most commonly
accepted approach.

Establish an incident response plan

Siemens recommends you start with a set of policies and procedures and establish an incident
response plan. Designate staff to monitor the status of the system and respond to suspicious events.
For example, activities that happen at unusual times. Establish a security Point of Contact (POC) with
each of your vendors, including Siveillance VMS.
The following image is adapted from the NIST Cyber Security Framework 22. It shows the lifecycle that
needs to be considered when creating a plan. The documents in the footnote provide details about the
lifecycle and security controls for incident response plans.

Figure 9
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 IR 1-13 Incident Response

Protect sensitive VMS components

Siveillance Video 2019 38 SI SSP SH LPS COS Video

Siemens recommends that you use physical access control, and use the VMS to monitor and protect its
sensitive VMS components. Physical restriction and role-based physical access control are
countermeasures that keep servers and workstations secure.

Administrators and users should only have access to the information they need in order to fulfill their
responsibilities. If all internal users have the same access level to critical data, it’s easier for attackers to
access the network.

19
http://www.nist.gov/cyberframework/

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 PE-1 Physical and Environmental Protection Policy and Procedures
• NIST SP 800-53 PE-2 Physical Access Authorizations
• NIST SP 800-53 PE-3 Physical Access Control
• NIST SP 800-53 AC-4 Least Privilege

Follow Microsoft OS Security best practices

Siemens recommends that you follow the security best practices for Microsoft operating systems (OS) to
mitigate OS risks and maintain security. This will help you keep the Microsoft servers and client
computers secure.
For more information, see “Microsoft Security Update Guide,” which is available here:
https://technet.microsoft.com/en-us/security/dn550891.aspx

Use tools to automate or implement the security policy

Siemens recommends that you find one or more tools to help you automate and implement the security
policy. Automation reduces the risk of human error and makes it easier to manage the policy. For
example, you can automate the installation of security patches and updates on servers and client
computers.

One way to implement this recommendation23 is to combine the Microsoft Security Configuration
Manager (SCCM) with the Security Content Automation Protocol (SCAP). This gives you a framework
to create, distribute, and validate security settings on computers across your network.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 CM-1 Configuration Management Policy and Procedures
• NIST SP 800-53 CM-2 Baseline Configuration
• NIST SP 800-53 CM-3 Configuration Change Control

Follow established network security best practices

Siveillance Video 2019 39 SI SSP SH LPS COS Video

Siemens recommends that you follow IT and vendor best practices to ensure that devices on your
network are securely configured. Ask your vendors to provide this information. It is important to open and
maintain a security dialogue, and a discussion of best practices is a good place to start.

It is important to deny access to the VMS by not using vulnerable network settings.24

20
https://technet.microsoft.com/en-us/magazine/ff721825.aspx,
http://scap.nist.gov/validation/
21
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf,
http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf (specific to firewalls),
https://ics-cert.us-cert.gov/Standards-and-References (general list)

Learn more
The following control(s) provide additional guidance:
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 MA-3 Maintenance Tools

Devices and network

This section provides guidance for hardening the devices and network components related to Siveillance
Video. This includes key parts of the system such as the cameras, storage, and the network.

Surveillance systems often include cameras at the edge of the network. Cameras and their network
connections, if left unprotected, represent a significant risk of compromise, potentially giving intruders
further access to the system.

Devices - basic steps

Use strong passwords instead of default passwords

Siemens recommends that you change the default passwords on devices, for example, on a camera.
Do not use default passwords because they are often published to the Internet and are readily
available.25
Instead, use strong passwords for devices. Strong passwords include eight or more alpha-numeric
characters, use upper and lower cases, and special characters. The Authenticator Management
document listed under Learn more below provides additional guidance.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 IA-4 Authenticator Management
• NIST 800-53 IA-8 Authenticator Feedback
• NIST 800-53 SI-11 Error Handling

Stop unused services and protocols

Siveillance Video 2019 40 SI SSP SH LPS COS Video

To help avoid unauthorized access or information disclosure, Siemens recommends that you stop unused
services and protocols on devices. For example, Telnet, SSH, FTP, UPnP, Ipv6, SMTP and Bonjour.
It is also important to use strong authentication on any services that access the VMS, network, or
devices. For example, use SSH keys instead of user names and passwords, and use certificates from a
Certificate Authority for HTTPS. For more information, see the hardening guides and other guidance from
the device manufacturer.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-17 Remote Access (Disable Unused Protocols)

22
For example http://zeecure.com/free-cctv-and-security-tools/complete-list-of-every- ip-camera-
default-username-password-and-ip-address/

• NIST SP 800-53 CM-6 Configuration Settings

• NIST SP 800-53 CM-7 Least Functionality
• NIST SP 800-53 IA-2 Identification and Authentication
• NIST SP 800-53 SA-9 external Information Services

Create dedicated user accounts on each device

All cameras have a default user account with a username and password that the VMS uses to access the
device. For auditing purposes, Siemens recommends that you change the default username and
password.
Create a user account specifically for use by the VMS, and use this user account and password when you
add the camera to the VMS. When a recording server connects to the camera, it uses the username and
password you have created. If the camera has a log, this log shows that the recording server has
connected to the camera.
With a dedicated username and password, the device logs can help you determine whether a recording
server or a person accessed the camera. This is relevant when investigating potential security issues
affecting devices.
You can change the username and password for a device before or after you add it in Management
Client.
To change the username and password before you add the device, follow these steps:
1. Go to the device’s web interface, and change the default username and password.
2. In Management Client, add the device, and specify the username and password. To change
the username and passwords of devices that are already added, follow these
steps:
1. In Management Client, in the Site Navigation pane, expand the Servers node and select
Recording Servers.
2. In the Recording Server pane, expand the recording server that contains the device and
then right-click the device and select Edit hardware.

Siveillance Video 2019 41 SI SSP SH LPS COS Video

 3. Under Authentication, enter the new user name and password.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-4 Least Privilege

Scanning for devices

Scanning for devices (for example, Express scan or Address range scanning when adding hardware) is
done
using broadcasts that may contain user names and passwords in plain text.
Unless this is an initial setup, this functionality should not be used for adding devices to the system. Use
the
Manual option instead and manually select the driver.

Network - basic steps

Use secure and trusted networks connection

Network communications must be secure, whether or not you are on a closed network. By default, secure
communications should be used when accessing the VMS. For example:
• VPN tunnels or HTTPS by default
• Latest version of the Transport Layer Security (https://datatracker.ietf.org/wg/tls/charter/)
(TLS, currently 1.2) with valid certificates that meet industry best practices, such as from
Public-Key Infrastructure.
(X.509) (https://datatracker.ietf.org/wg/ipsec/documents/) and CA/Browser Forum
(https://cabforum.org/).
Otherwise, credentials may be compromised and intruders might use them to access the VMS.
Configure the network to allow client computers to establish secure HTTPS sessions or VPN tunnels
between the client devices and the VMS servers.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SI-2 Flaw remediation
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 SC-23 Session Authenticity

Siveillance Video 2019 42 SI SSP SH LPS COS Video

Use a firewall between the VMS and the Internet
The VMS should not connect directly to the Internet. If you expose parts of the VMS to the Internet,
Siemens recommends that you use an appropriately configured firewall between the VMS and the
Internet. It is recommended to use a separate network segment for VMS servers.
Expose only the Siveillance Video Mobile server component to the Internet, and locate it in a demilitarize
zone (DMZ) with firewalls on both sides. This is illustrated in the following figure.

Figure 10
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 CA-3 System Interconnections

Connect the camera subnet to the recording server subnet only

Siemens recommends that you connect the camera subnet only to the recording server subnet. The
cameras and other devices need to communicate only with the recording servers. For more information,
see the section in this document titled Recording Server.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 SC-7 Boundary Protection

Devices - advanced steps

Use Simple Network Management Protocol (SNMPv3) to monitor events

Siemens recommends that you use Simple Network Management Protocol (SNMP)26 to monitor events on
the devices on the network. You can use SNMP as a supplement for syslog. SNMP works in real-time with
many types of events that can trigger alerts, for example if a device is restarted.
Note: For this to work, the devices must support logging via SNMP.

Siveillance Video 2019 43 SI SSP SH LPS COS Video

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SI-4 Event Monitoring

Network - advanced steps

Use secure wireless protocols

If you use wireless networks, Siemens recommends that you use a secure wireless protocol to prevent
unauthorized access to devices and computers. For example, use standardized configurations. The NIST
guidance on wireless local area networks provides specific details on network management and
configuration.27
Additionally, Siemens recommends that you do not use wireless cameras in mission- critical locations.
Wireless cameras are easy to jam, which can lead to loss of video.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-18 Wireless Access
• NIST SP 800-53 SC-40 Wireless Link Protection

Use port-based access control

Use port-based access control to prevent unauthorized access to the camera network. If an unauthorized
device connects to a switch or router port, the port should become blocked. Information about how to
configure switches and routers is available from the manufacturers. This document also provides a
reference to materials about configuration management of information systems 28.

23
Multiple SNMP protocols exists, versions 2c and 3 are the most current. Implementation
involves a suite of standards. A good overview can be found here:
http://www.snmp.com/protocol/snmp_rfcs.shtml
24
Securing Legacy IEEE 802.11 Wireless Networks http://csrc.nist.gov/publications/nistpubs/800-
48-rev1/SP800-48r1.pdf. Guidelines for Securing Wireless Local Area Networks (WLANs)
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf.
25
Guide for Security-Focused Configuration Management of Information Systems
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf

Siveillance Video 2019 44 SI SSP SH LPS COS Video

Learn more
The following control(s) provide additional guidance:
• NIST 800-53 CM-1 Configuration Management Policy and Procedures
• NIST 800-53 CM-2 Baseline Configuration
• NIST 800-53 AC-4 Least Privilege
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Run the VMS on a dedicated network

Siemens recommends that, whenever possible, you separate the network where the VMS is running from
networks with other purposes. For example, a shared network such as the printer network should be
isolated from the VMS network. In addition, Siveillance Video deployments should follow a general set of
best practices for system interconnections. Siemens recommend to apply an additional IPSec layer to
the interconnections between the VMS servers.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 CA-3 System Interconnections

Siveillance Video Servers

This section contains guidance on how to protect the Siveillance Video servers.

Basic steps

Use physical access controls and monitor the server room

Siemens recommends that you place the hardware with the servers installed in a designated server
room, and that you use physical access controls. In addition, you should maintain access logs to
document who has had physical access to the servers. Surveillance of the server room is also a
preventive precaution.

Siveillance Video supports integration of access control systems and their information. For
example, you can view access logs in Siveillance Video Client.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 PE-3 Physical Access Control

Use encrypted communication channels

Siemens recommends that you use a VPN for communication channels for IP Sec. This is to prevent
attackers from intercepting communications between the servers. Even for trusted networks, Siemens
recommends that you use HTTPS for configuration of cameras and other system components.

Siveillance Video 2019 45 SI SSP SH LPS COS Video

Disable automatic administrative logon to recovery console

• Reference to Disable automatic administrative logon to recovery console to be provided

Use Screen Savers

• Configure a screen-saver to lock the console's screen automatically if the host is left unattended.

Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-4 Information Flow Enforcement
• NIST 800-53 AC-17 Remote Access

Advanced steps

Run services with service accounts

Siemens recommends that you create service accounts for services related to Siveillance Video, instead
of using a regular user account. Set up the service accounts as domain users, and only give them the
permissions required to run the relevant services. For example, the service account should not be able to
log on to the Windows desktop.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-5 Separation of Duties
• NIST 800-53 AC-6 Least Privilege

Run components on dedicated virtual or physical servers

Siemens recommends that you run the components of Siveillance Video only on dedicated virtual or
physical servers without any other software or services installed.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 CM-9 Configuration Management Plan

Restrict the use of removable media on computers and servers

Siemens recommends that you restrict the use of removable media, for example USB keys, SD cards,
and Videophones on computers and servers where components of Siveillance Video are installed. This
helps prevent malware from entering the network. For example, allow only authorized users to connect
removable media when you need to transfer video evidence.

Learn more
The following control(s) provide additional guidance:

Siveillance Video 2019 46 SI SSP SH LPS COS Video

 • NIST 800-53 MP-7 Media Use

Use individual administrator accounts for better auditing

As opposed to shared administrator accounts, Siemens recommends using individual accounts for
administrators. This lets you track who does what in Siveillance Video. This helps prevent malware
from entering the network. You can then use an authoritative directory such as Active Directory to
manage the administrator accounts.
You assign administrator accounts to roles in Management Client under Roles. Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-5 Separation of Duties
• NIST 800-53 CM-9 Configuration Management Plan

Use subnets or VLANs to limit server access

Siemens recommends that you logically group different types of hosts and users into separate subnets.
This can have benefits in managing privileges for these hosts and users as members of a group with a
given function or role. Design the network so that there is a subnet or VLAN for each function. For
example one subnet or VLAN for surveillance operators and one for administrators. This allows you to
define firewall rules by group instead of for individual hosts.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CSC 11: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
• NIST SP 800-53 SC-7 Boundary Protection

Enable only the ports used by Event Server

Siemens recommends that you enable only the ports used by event server, and block all other ports,
including the default Windows ports.
The event server ports used in Siveillance Video are: 22331, 22333, 9090, 1234, and 1235.
Note: The ports used depend on the deployment. If in doubt, contact Siveillance Video Support.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 CSC 11: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches

SQL Server

Connection to the database

Communication between the Siveillance Video software and the SQL server can potentially be tampered
by an attacker because the certificate is not validated.

Siveillance Video 2019 47 SI SSP SH LPS COS Video

 To mitigate this, you must first set up verifiable server certificates. After the certificates are set up, you
must modify the ConnestionString in the Windows registry by removing trustServerCertificate=true, as
follows:
Registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\Common\ConnectionString

Current
connection string: Data Source=localhost;initial catalog='Surveillance';Integrated
Security=SSPI;encrypt=true;trustServerCertificate=true

Hardened
connection string: Data Source=localhost;initial catalog='Surveillance';Integrated
Security=SSPI;encrypt=true
This results in encryption occurring only if there is a verifiable server certificate, otherwise the connection
attempt fails

Run the SQL Server database on a separate server

Siemens recommends that you make the SQL Server redundant. This reduces the risk of real or perceived
downtime.
To support Windows Server Failover Clustering (WSFC), Siemens recommends that you run the SQL
Server database on a separate server, and not on the management server.
SQL must run in WSFC setup, and the management and event servers must run in a Microsoft Cluster
setup (or similar technology). For more information about WSFC, see https://msdn.microsoft.com/en-
us/library/hh270278.aspx.

Limit the IP access to Servers

Siemens recommends configuring the firewall of each server so that only the intended and authorized
VMS components have access to the server. The firewall should be configured to block all non required
access.

Learn more
The following control(s) provide additional guidance:
NIST 800-53 CM-6 Configuration Settings
NIST 800-53 CM-7 Least Functionality

Learn more
The following control(s) provide additional guidance:
• NIST 800-53 SC-7 Boundary Protection
• NIST 800-53 CM-9 Configuration Management Plan

Encrypt Connection to SQL Server

Refer to the URL: https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx to configure the

SSL for SQL Server.

SQL Hardening

Siemens recommends that you apply Security Best Practices to the SQL Server. For more information see

Siveillance Video 2019 48 SI SSP SH LPS COS Video

https://msdn.microsoft.com/en-us/library/ms144228.aspx and
http://download.microsoft.com/download/8/f/a/8fabacd7-803e-40fc-adf8-
355e7d218f4c/sql_server_2012_security_best_practice_whitepaper_apr2012.docx.

Siemens recommends securing the communication to the Database Server via TLS.

Step 1: (Management Server Side) Create the SSL certificate that is used for securing the
communication between VMS Management Server and Database Server machines. For demonstration
purpose, we have created a self-signed certificate in IIS. The same could be done using OpenSSL too
(see addendum for a HowTo). In the production environment, the SSL certificate can be signed by an
authorized CA.

The below image shows the certificate that is created in IIS for the Management Server.

Step 2: (Database Server Side) Open the ‘SQL Server Configuration Manager’ from Program files
(C:\Windows\SysWOW64\mmc.exe /32 C:\WINDOWS\SysWOW64\SQLServerManager10.msc) or from
the Start Menu as shown in the below image.

Step 3: (Database Server Side) Right click on the ‘SQL Server Network Configuration→Protocols for
SQLEXPRESS’ and select Properties as shown in the below image.

Siveillance Video 2019 49 SI SSP SH LPS COS Video

Step 4: (Database Server Side) - The following properties dialog opens.
In the ‘Flags’ tab, select ‘Force Encryption’ to Yes.
In the ‘Certificate’ tab, select the certificate that is created in Step 1.
In the ‘Advanced’ tab, select the ‘Extended protection’ to ‘Required’

Siveillance Video 2019 50 SI SSP SH LPS COS Video

With the above four steps, it is observed that the communication between Management Server and
Database server is secured with SSL.

Siveillance Video 2019 51 SI SSP SH LPS COS Video

Insecure SMB service

When the VMS Management Server uses SQL server 2016 R2 as the Database, the protocol that is used
is SMBv2, which is not a supported message encryption and signing verification protocol.

It is recommended to enforce message signing in the host's configuration. On Windows, this is found in
the policy-setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the
setting is called 'server signing'. Refer the below mentioned links for further information.
References:
https://support.microsoft.com/en-us/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html http://www.nessus.org/u?a3cac4ea
https://stackoverflow.com/questions/2503234/sql-server-ports-445-and-
1433?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

Siveillance Video 2019 52 SI SSP SH LPS COS Video

Management Server

Disable the remote registry access. Refer to the following URL for more details:

Adjust the token time-out

Siveillance Video uses session tokens when it logs in to the management server using SSL (basic users)
or NTLM (Windows users) protocols. A token is retrieved from the management server and used on the
secondary servers, for example the recording server and sometimes also the event server. This is to
avoid that NTLM and AD lookup is performed on every server component.
By default, a token is valid for 240 minutes. You can adjust this down to 1 minute intervals. This value
can also be adjusted over time. Short intervals increase security, however, the system generates
additional communication when it renews the token.
The best interval to use depends on the deployment. This communication increases the system load and
can impact performance.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 IA-5 Authenticator Management

Enable only the ports used by the management server

Siemens recommends that you enable only the ports used by the management server, and that you block
all other ports, including the default Windows ports. This guidance is consistent for the server
components of Siveillance Video.
The management server ports used in Siveillance Video are: 80, 443, 1433, 7475, 8080, 8990, 9993,
12345.
Note: The ports used depend on the deployment. If in doubt, contact Siveillance Video Support.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 SC-7 Boundary Protection

Disable non-secure protocols

When a basic user logs in to the management server through IIS, the Management Client will use any
protocol available. Siemens recommends that you always implement the latest version of the Transport
Layer Security29 (TLS, currently 1.2) and disable all improper cipher suites and obsolete versions of
SSL/TLS protocols. This prevents the Management Client from using protocols that are not secure. The
OS determines the protocol to use. Perform actions to block non-secure protocols at the OS level.
Note: The protocols used depend on the deployment. If in doubt, contact Siveillance Video Support.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-17 Remote Access (Disable Unused Protocols)

Siveillance Video 2019 53 SI SSP SH LPS COS Video

 • NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Recording Server

Available functionality depends on the system you are using. See Product comparison chart for more
information.
In the Storage and Recording Settings dialog box, specify the following:

Name Description
Name Rename the storage if needed. Names must be
unique.

Path Specify the path to the directory to which you save

recordings in this storage. The storage does not
necessarily have to be located on the recording
server computer.
If the directory does not exist, you can create it.
Network drives must be specified by using UNC
(Universal Naming Convention) format, example:
\\server\volume\directory\.
Retention time Specify for how long recordings should stay in the
archive before they are deleted or moved to the
next archive (depending on archive settings). The
retention time must always be longer than the
retention time of the previous archive or the
default recording database. This is because the
number of retention days specified for an archive
includes all the retention periods stated earlier in
the process.

Maximum size Select the maximum number of gigabytes of

recording data to save in the recording database.
Recording data in excess of the specified number
of gigabytes is auto-moved to the first archive in
the list - if any is specified - or deleted.
Important: When less than 5GB of space is free,
the system always auto-archives (or deletes if no
next archive is defined) the oldest data in a
database. If less than 1GB space is free, data is
deleted. A database always requires 250MB of
free space. If you reach this limit (if data is not
deleted fast enough), no more data is written to
the database until you have freed enough space.
The actual maximum size of your database is the
amount of gigabytes you specify, minus 5GB.
Signing Enables a digital signature to the recordings. This
means, for example, that the system confirms that
exported video has not been modified or
tampered with when played back.
The system uses the SHA-2 algorithm for digital
signing.

Siveillance Video 2019 54 SI SSP SH LPS COS Video

 Encryption Select the encryption level of the recordings:
o None
o Light (Less CPU usage)
o Strong (More CPU usage)

The system uses the AES-256 algorithm for

encryption.
If you select Light, a part of the recording is
encrypted. If you select Strong, the whole
recording is encrypted. Both options are equally
secure.
If you choose to enable encryption, you must also
specify a password below.
Password Enter a password for the users allowed to view
encrypted data.
Siemens recommends that you use strong
passwords. Strong passwords do not contain
words that can be found in a dictionary or are part
of the user's name. They include eight or more
alpha-numeric characters, upper and lower cases,
and special characters.

Use separate network interface cards

Siemens recommends that you use multiple network interface cards (NICs) to separate the
communication between recording servers and devices from the communication between recording
servers and client programs. Client programs do not need to communicate directly with devices.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection

Siveillance Video Mobile server component

Only enable ports that Siveillance Video Mobile server uses

Siemens recommends that you enable only the ports that Siveillance Video Mobile server uses, and block
all other ports, including the default Windows ports.

By default, mobile server uses ports 8081 and 8082.

Note: The ports used depend on the deployment. If in doubt, contact Siveillance Video Support.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 SC-7 Boundary Protection

Siveillance Video 2019 55 SI SSP SH LPS COS Video

Use a “demilitarized zone” (DMZ) to provide external access

Siemens recommends that you install mobile server in a DMZ, and on a computer with two network
interfaces:
• One for internal communication
• One for public Internet access

This allows mobile client users to connect to mobile server with a public IP address, without
compromising the security or availability of the VMS network.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection

Disable non-secure protocols

Siemens recommends that you use only the necessary protocols, and only the latest versions. For
example, implement the latest version of the Transport Layer Security (TLS, currently 1.2) and disable
all other cipher suites and obsolete versions of SSL/TLS protocols. This requires configuration of
Windows and other system components, and the proper use of digital certificates and keys.

Note: The same recommendation was given for the management server. For more information, see the
section in this document titled Disable non-secure protocols.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-17 Remote Access (Disable Unused Protocols)
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Siveillance Video 2019 56 SI SSP SH LPS COS Video

Set up users for two-step verification via email
Available functionality depends on the system you are using. See Product comparison chart for more
information.
To impose an additional login step on users of the Siveillance Video Mobile client or Siveillance Video
Web Client, set up two-step verification on the VMS Mobile server. In addition to the standard user name
and password, the user must enter a verification code received by email.
Two-step verification increases the protection level of your surveillance system.

Requirements

• You have installed an SMTP server.

• You have added users and groups to your Siveillance Video system in the Management Client on
the Roles node in the Site Navigation pane. On the relevant role, select the Users and Groups
tab.

If you upgraded your system from a previous version of Siveillance Video, you must restart the mobile
server to enable the two-step verification feature.
In the Management Application or Management Client, perform these steps:

1. Enter information about your SMTP server.

2. Specify the settings for the verification code that will be sent to the client users.

3. Assign login method to users and domain groups.

This topic describes each of these steps.

Enter information about your SMTP server

The provider uses the information about the SMTP server:

1. In the navigation pane, select Mobile Servers, and select the relevant mobile server.

2. On the Two-step verification tab, select the Enable two-step verification check box.

3. Below Provider settings, on the Email tab, enter information about your SMTP server and specify the
email that the system will send to client users when they log in and are set up for a secondary login.

Specify the verification code that will be sent to the users

To specify the complexity of the verification code:

1. On the Two-step verification tab, in the Verification code settings section, specify the period within
which Mobile client users, do not have to reverify its login in case of, for example, a disconnected network.
Default period is 3 minutes.

2. Specify the period within which the user can use the received verification code. After this period, the
code is invalid and the user has to request for a new code. Default period is 5 minutes.

3. Specify the maximum number of code entry attempts, before the user will be blocked. Default number is
3.

Siveillance Video 2019 57 SI SSP SH LPS COS Video

4. Specify the number of characters for the code. Default length is 6.

5. Specify the complexity of the code that you want the system to compose.

Assign login method to users and Active Directory groups

On the Two-step verification tab, in the User settings section, the list of users and groups added to your
Siveillance Video system appears.
1. In the Login method column, select between no login, no two-step verification, or delivery method of
codes.

2. In the Details field, add the delivery details such as email addresses of individual users. Next time the
user logs into VMS Web Client or the Siveillance Video Mobile app, he or she is asked for a secondary
login.

3. If a group is configured in Active Directory, the Mobile server uses details, such as email addresses,
from Active Directory.
Windows groups do not support two-step verification.
4. Save your configuration.

You have completed the steps for setting up your users for two-step verification via email.

Two-step verification

Available functionality depends on the system you are using. See Product comparison chart for more
information.
Use the Two-step verification tab to enable and specify an additional login step on users of the VMS
Mobile app on their iOS, Windows Phone, or Android mobile devices or Siveillance Video Web Client.
The first type is password and the second type, the verification code, you can configure to be sent via
email to the user.
For more information, see Set up users for two-step verification (see "Set up users for two-step verification
via email").
The following tables describe the settings on this tab.

Name Description
SMTP server Enter the IP address or host name of the simple mail transfer protocol
(SMTP) server for two-step verification emails.

SMTP server port Specify the port of the SMTP server for sending emails.
Default port number is 25 without SSL and 465 with SSL.
Use SSL Select this check box if your SMTP server supports SSL encryption.

User name Specify the user name for logging into the SMTP server.

Password Specify the password for logging into the SMTP server.

Use Secure Password Select this check box if your SMTP server supports SPA.
Authentication (SPA)

Sender's email address Specify the email address for sending verification codes.

Siveillance Video 2019 58 SI SSP SH LPS COS Video

 Email subject Specify the subject title for the email. Example: Your two-step
verification code.

Email text Type the message you want to send. Example: Your code is {0}.
If you forget to include the {0} variable, the code is added at the end of
the text by default.

Verification code settings :

Name Description
Users and groups Lists the users and groups added to the Siveillance Video system.
If a group is configured in Active Directory, the Mobile server uses
details, such as email addresses, from Active Directory.
Windows groups do not support two-step verification.
Verification method Select a verification setting for each user or group. You can select
between:
No login: the user cannot log in.
No two-step verification: the user must enter user name and
password.
Email: the user must enter a verification code in addition to user
name and password.

User details Type the email address to which each user will receive codes.

Mobile Client Replay attack

During security assessments on the VMS Mobile Client, the integrity check is missing in the HTTP calls
from Mobile Client to the VMS Mobile Server, making Server vulnerable to the replay attack.

Configuring the HTTPS using proper CA certificate implementation can reduce the vulnerability risk

Log Server

Install Log Server on a separate SQL Server

Siemens recommends that you install Log Server on a separate SQL Server. If Log Server is affected
by a performance issue, for example, due to flooding or other reasons, and uses the same database as
the management server, both can be affected.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection
• NIST SP 800-53 CM-9 Configuration Management Plan

Limit the IP access to Log Server

Siemens recommends that only VMS components that are capable of logging can contact the Log

Siveillance Video 2019 59 SI SSP SH LPS COS Video

 Server. Log Server uses port 80.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Client programs

This section provides guidance about how to protect the Siveillance Video client programs. The
client programs are:
• Siveillance Video Client
• Siveillance Video Web Client
• Siveillance Video Management Client
• Siveillance Video Mobile client

Basic steps (all client programs)

Use Windows users with AD

Siemens recommends that, whenever possible, you use Windows users in combination with Active
Directory (AD) to log in to the VMS with the client programs. This enables you to enforce a password
policy, and apply user settings consistently across the domain and network. It also provides protection
against brute force attacks. For more information, see the section in this document titled Use Windows
users with Active Directory (AD).

Siemens recommends that you never use Anonymous as a username and test as a password.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 SA-5 Information System Documentation
• NIST 800-53 SA-13 Trustworthiness

Restrict permissions for client users

Siemens recommends that administrators specify what users can do in Management Client or
Siveillance Video Client.
The following instructions describe how to do this. Additional information is available in the Siveillance
Video Administrator guide.
To restrict client user permissions, follow these steps:
1. Open Management Client.
2. Expand the Security node, select Roles, and then select the role that the user is associated
with.

Siveillance Video 2019 60 SI SSP SH LPS COS Video

 3. On the tabs at the bottom, you can set permissions and restrictions for the role.

Figure 11

Note: By default, all users associated with the Administrator role have unrestricted access to the
system. This includes users who are associated with the Administrator role in AD as well as those with
the role of administrator on the management server.
Learn more
The following documents provide additional information:
• NIST 800-53 AC-4 Least Privilege
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Always run clients on trusted hardware on trusted networks

Siemens recommends that you always run Siveillance Video clients on hardware devices with the
proper security settings. Specific guidance for mobile devices is available31. These settings are

Siveillance Video 2019 61 SI SSP SH LPS COS Video

 specific to the device.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection
• NIST SP800-53 CM-6 Configuration Settings

Siveillance Video Client - advanced steps

Restrict physical access to computers running Siveillance Video Client

Siemens recommends that you restrict physical access to computers running Siveillance Video Client.
Allow only authorized personnel to access the computers. For example, keep the door locked, and use
access controls and surveillance.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 PE-1 Physical and Environmental Protection Policy and Procedures
• NIST SP 800-53 PE-2 Physical Access Authorizations
• NIST SP 800-53 PE-3 Physical Access Control
• NIST SP 800-53 PE-6 Monitoring Physical Access

Use a secure connection by default

If you need to access the VMS with Siveillance Video Client over a public or untrusted network,
Siemens recommends that you use a secure connection through VPN. This helps ensure that
communication between Siveillance Video Client and the VMS server is protected.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-17 Remote Access
• NIST SP 800-53 CM-6 Configuration Settings

Activate login authorization

Login authorization requires a user to log in on Siveillance Video Client or Management Client, and
another user who has an elevated status, such as a supervisor, to provide approval.

31
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf

You set up login authorization on the roles. Users associated with the role are prompted for a second
user (a supervisor) to authorize their access to the system.

Siveillance Video 2019 62 SI SSP SH LPS COS Video

Note: Login authorization is currently not supported by mobile client, Siveillance Video Web Client, and
any Siveillance Video Integration Platform (MIP) SDK integrations.
To turn on login authorization for a role, follow these steps:
1. Open Management Client.
2. Expand the Security node, select Roles, and then select the relevant role.
3. Select the Login authorization required check box.

Figure 12

To configure the roles that authorize and grant access, follow these steps:
1. To create a new role, for example “Security supervisor”, expand the
Security node, right-click Roles and create a new role.
2. Click the Overall Security tab, and select the Management Server node.

3. Select the Allow check box next to the Authorize users check box.

Siveillance Video 2019 63 SI SSP SH LPS COS Video

 Figure 13

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-6 Least Privilege
• NIST SP 800-53 AC-17 Remote Access
• NIST SP 800-53 CM-6 Configuration Settings

Do not store passwords

Siveillance Video Client provides the option to remember passwords for users. To reduce the risk of
unauthorized access, Siemens recommends that you do not use this feature.

To turn off the remember password feature, follow these steps:

1. Open Management Client.
2. Expand the Client node, select Video Client Profiles, and then select the relevant
Video Client profile.
3. In the Remember password list, select Unavailable.
Note: The Remember password option is not available the next time a user with this profile

Siveillance Video 2019 64 SI SSP SH LPS COS Video

 logs into Siveillance Video Client.

Figure 14

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-1 Identification and Authentication Policy and Procedures

Turn on only required client features

Turn on only required features, and turn off features that a surveillance operator does not need. The
point is to limit opportunities for misuse or mistakes.
You can turn on and turn off features in Management Client.

In Management Client, configure Video Client profiles to specify sets of permissions for users who are
assigned to the profile. Video Client profiles are similar to Management Client profiles, and the same user
can be assigned to each type of profile.
To configure a Video Client profile, follow these steps:
1. Open Management Client.

Siveillance Video 2019 65 SI SSP SH LPS COS Video

 2. Expand the Client node, select Video Client Profiles, and then select the relevant
Video Client profile.
3. Use the tabs to specify settings for features in Video Client. For example, use the settings on
the Playback tab to control features used to investigate recorded video.
Note: Before you assign a user to a Video Client profile, ensure that the permissions for the user’s role
are appropriate for the profile. For example, if you want a user to be able to investigate video, make
sure that the role allows the user to play back video from cameras, and that Sequence Explorer tab is
available on the Video Client profile.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-6 Least Privilege
• NIST SP 800-53 CM-6 Configuration Settings

Use separate names for user accounts

Siemens recommends that you create a user account for each user, and use a naming convention
that makes it easy to identify the user personally, such as their name or initials. This is a best practice
for limiting access to only what is necessary, and it also reduces confusion when auditing.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-4 Least Privilege
• NIST 800-53 CM-1 Configuration Management Policy and Procedures
• NIST 800-53 CM-2 Baseline Configuration
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Prohibit the use of removable media

For video exports, establish a chain of procedures that are specific to evidence. Siemens recommends
that the security policy allows only authorized Siveillance Video Client operators to connect removable
storage devices such as USB flash drives, SD cards, and Videophones to the computer where
Siveillance Video Client is installed.
Removable media can transfer malware to the network, and subject video to unauthorized distribution.
Alternatively, the security policy can specify that users can export evidence only to a specific location on
the network, or to a media burner only. You can control this through the Video Client profile.

Siveillance Video 2019 66 SI SSP SH LPS COS Video

Learn more
The following control(s) provide additional guidance:
• NIST SO 800-53 MP-7 Media Use
• NIST SP 800-53 SI-3 Malicious Code Protection

Siveillance Video Mobile client - advanced steps

The document referred to in the footnote provides guidance that is specifically for mobile devices32. The
information it contains applies to all topics in this section.

Always use the Siveillance Video Mobile client on secure devices

Siemens recommends that you always use the Siveillance Video Mobile client on secure devices that are
configured and maintained according to a security policy. For example, ensure that mobile devices do not
allow users to install software from unauthorized sources. An enterprise app store is one example of a
way to constrain device applications as part of overall mobile device management.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection
• NIST SP800-53 CM-6 Configuration Settings

Download the Siveillance Video Mobile client from authorized sources

Siemens recommends that you download the Siveillance Video Mobile client from one of these sources:
• Google Play Store
• Apple App Store
• Microsoft Windows Store.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection
• NIST SP 800-53 CM-6 Configuration Settings

Mobile devices should be secured

If you want to access the VMS with a mobile device over a public or untrusted network, Siemens
recommends that you do so with a secure connection, use proper authentication and Transport Layer
Security33 (or connect through VPN) and HTTPS. This helps protect communications between the
mobile device and the VMS.

32
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf

Siveillance Video 2019 67 SI SSP SH LPS COS Video

 33
Again, up to date TLS https://datatracker.ietf.org/wg/tls/charter/ or VPN – IP Security Protocol
https://datatracker.ietf.org/wg/ipsec/documents/ Siemens recommends that mobile devices use screen-
lock. This helps prevent unauthorized access to the VMS, for example, if the Videophone is lost. For
maximum security, do not allow mobile client to remember the username and password.
Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-17 Remote Access
• NIST SP 800-53 CM-6 Configuration Settings

Siveillance Video Web Client - advanced steps

Always run Siveillance Video Web Client on trusted client computers

Always securely connect all components of the VMS. Server-to-server and client-to- server connections
should use HTTPS, AND IPSec, if applicable. TLS / HTTPS should be used only in secure variations
(e.g. TLS 1.2). Always run Siveillance Video Web Client on trusted computers, for example, do not use a
client computer in a public space. Siemens recommends that you educate users about the security
measures to remember when using browser-based applications, such as Siveillance Video Web Client.
For example, make sure they know not to allow the browser to remember their password.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-2 Identification and Authentication

Use certificates to confirm the identity of a mobile server

This document emphasizes the use of the latest TLS. With that comes the need for the proper use of
certificates and the implementation of the TLS cipher suite. Siemens recommends that you install a
certificate on the mobile server to confirm the identity of the server when a user tries to connect through
Siveillance Video Web Client.

For more information, see the Edit certificates section in the Siveillance Video Mobile Server 2016 -
Administrator Guide.
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-2 Identification and Authentication

Siveillance Video 2019 68 SI SSP SH LPS COS Video

Use only supported browsers with the latest security updates
Siemens recommends that you install only one of the following browsers on client computers. Make sure
to include the latest security updates. Siemens recommends to not use the auto-login function of the
browser.

• Apple Safari
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 CM-1 Configuration Management Policy and Procedures
• NIST SP 800-53 CM-2 Baseline Configuration
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 PL-8 Information Security Architecture
• NIST SP 800-53 SI-3 Malicious Code Protection

Management Client - advanced steps

Limit what administrators can view

Siemens recommends that you use Management Client profiles to limit what administrators can view in
the Management Client.
Management Client profiles allow system administrators to modify the Management Client user
interface. Associate Management Client profiles with roles to limit the user interface to represent the
functionality available for each administrator role.
Display only the parts of the VMS that administrators need to perform their duties.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-4 Least Privilege
• NIST 800-53 CM-1 Configuration Management Policy and Procedures
• NIST 800-53 CM-2 Baseline Configuration
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Allow administrators to access relevant parts of the VMS

If you have a setup that requires multiple administrators, Siemens recommends that you configure
different administrator rights for administrators who use the Management Client.

To define administrator permissions, follow these steps:

Siveillance Video 2019 69 SI SSP SH LPS COS Video

 1. In Management Client, expand the Security node, select Roles, and then select the relevant
administrator role.
Note: You cannot modify the built-in administrator role, so you must create additional
administrator roles.
2. On the Overall Security tab, specify the actions that the administrator can take for each
security group.

3. On the other tabs, specify the security settings for the role in the VMS. For more information
about security settings for roles, see the Help for Management Client.
4. On the Info tab, associate the role with a Management Client profile.

Note: You can turn on or turn off features by using the Management Client profile. Before you
assign a user to a Management Client profile, ensure that the permissions for the user’s role
are appropriate for the profile. For example, if you want a user to be able to manage cameras,
make sure that the role allows the user to do this, and that cameras are enabled on the
Management Client profile.
Learn more
The following control(s) provide additional guidance:
• NIST 800-53 AC-4 Least Privilege
• NIST 800-53 CM-1 Configuration Management Policy and Procedures
• NIST 800-53 CM-2 Baseline Configuration
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Run the Management Client on trusted and secure networks

If you access the Management Server with Management Client over HTTP, the plain text communication
can contain unencrypted system details. Siemens recommends that you run the Management Client
only on trusted and known networks. Use a VPN to provide remote access.

Please refer to the Annexure in the guide "How to configure IPSec ".

Backup Protection
Backups of the VMS system can include confidential data. Siemens recommends to treat any kind of
backup of the VMS as a critical asset and to apply appropriate security measures. These measures should
consider integrity, confidentiality and availability.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-2 Identification and Authentication

Siveillance Video 2019 70 SI SSP SH LPS COS Video

Restrict physical access to any computer running Video Client

Siemens recommends that you restrict physical access to computers running Siveillance Video Client.
Allow only authorized personnel to access the computers. For example, keep the door locked, and use
access controls and surveillance.

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 PE-1 Physical and Environmental Protection Policy and Procedures
• NIST SP 800-53 PE-2 Physical Access Authorizations
• NIST SP 800-53 PE-3 Physical Access Control
• NIST SP 800-53 PE-6 Monitoring Physical Access

Always use a secure connection by default, particularly over public networks

If you need to access the VMS with Siveillance Video Client over a public or untrusted network, Siemens
recommends that you use a secure connection through VPN. This helps ensure that communication
between Siveillance Video Client and the VMS server is protected.

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-17 Remote Access
• NIST SP 800-53 CM-6 Configuration Settings

Activate login authorization

Login authorization requires a user to log in on Siveillance Video Client or Management Client, and
another user who has an elevated status, such as a supervisor, to provide approval.

You set up login authorization on the roles. Users associated with the role are prompted for a second user
(a supervisor) to authorize their access to the system.

Login authorization is currently not supported by mobile client, Siveillance Video Web Client, and any
Siemens Integration Platform (MIP) SDK integrations.

To turn on login authorization for a role, follow these steps:

1. Open Management Client.
2. Expand the Security node, select Roles, and then select the relevant role.

Select the Login authorization required check box.

Siveillance Video 2019 71 SI SSP SH LPS COS Video

1. To create a new role, for example "Security supervisor", expand the Security node, right-click Roles
and create a new role.
2. Click the Overall Security tab and select the Management Server node.
Select the Allow check box next to the Authorize users check box.

Siveillance Video 2019 72 SI SSP SH LPS COS Video

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 AC-2 Account Management

• NIST SP 800-53 AC-6 Least Privilege
• NIST SP 800-53 AC-17 Remote Access
• NIST SP 800-53 CM-6 Configuration Settings

Siveillance Video 2019 73 SI SSP SH LPS COS Video

Do not store passwords

Siveillance Video Client provides the option to remember passwords for users. To reduce the risk of
unauthorized access, Siemens recommends that you do not use this feature.

To turn off the remember password feature, follow these steps:

1. Open Management Client.

2. Expand the Client node, select Video Client Profiles, and then select the relevant Video Client profile.
3. In the Remember password list, select Unavailable.
The Remember password option is not available the next time a user with this profile logs into Siveillance
Video Client.

Learn more

The following control(s) provide additional guidance:

• NIST

Learn more

Siveillance Video 2019 74 SI SSP SH LPS COS Video

The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-1 Identification and Authentication Policy and Procedures

Turn on only required client features

Turn on only required features and turn off features that a surveillance operator does not need. The point
is to limit opportunities for misuse or mistakes.

You can turn on and turn off features in Siveillance Video Client and in Siveillance Video Management
Client.
In Management Client, configure Video Client profiles to specify sets of permissions for users who are
assigned to the profile. Video Client profiles are similar to Management Client profiles, and the same user
can be assigned to each type of profile.
To configure a Video Client profile, follow these steps:
1. Open Management Client.

2. Expand the Client node, select Video Client Profiles, and then select the relevant Video Client profile.
3. Use the tabs to specify settings for features in Video Client. For example, use the settings on the
Playback tab to control features used to investigate recorded video.

Before you assign a user to a Video Client profile, ensure that the permissions for the user’s role are
appropriate for the profile. For example, if you want a user to be able to investigate video, make sure that
the role allows the user to play back video from cameras, and that Sequence Explorer tab is available on
the Video Client profile.

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-6 Least Privilege
• NIST SP 800-53 CM-6 Configuration Settings

Use separate names for user accounts

Siemens recommends that you create a user account for each user and use a naming convention that
makes it easy to identify the user personally, such as their name or initials. This is a best practice for
limiting access to only what is necessary, and it also reduces confusion when auditing.

Learn more

The following control(s) provide additional guidance:

• NIST 800-53 AC-4 Least Privilege
• NIST 800-53 CM-1 Configuration Management Policy and Procedures
• NIST 800-53 CM-2 Baseline Configuration
• NIST 800-53 CM-6 Configuration Settings
• NIST 800-53 CM-7 Least Functionality

Siveillance Video 2019 75 SI SSP SH LPS COS Video

Prohibit the use of removable media
For video exports, establish a chain of procedures that are specific to evidence. Siemens recommends
that the security policy allows only authorized Siveillance Video Client operators to connect removable
storage devices such as USB flash drives, SD cards, and smartphones to the computer where Siveillance
Video Client is installed.

Removable media can transfer malware to the network, and subject video to unauthorized distribution.
Alternatively, the security policy can specify that users can export evidence only to a specific location on
the network, or to a media burner only. You can control this through the Video Client profile.

Learn more

The following control(s) provide additional guidance:

• NIST SO 800-53 MP-7 Media Use

• NIST SP 800-53 SI-3 Malicious Code Protection

Siemens Mobile client - advanced steps

SP 800-124 revision 1 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf)
provides guidance that is specifically for mobile devices. The information it contains applies to all topics in
this section.

Always use the Siemens Mobile client on secure devices

Siemens recommends that you always use the Siemens Mobile client on secure devices that are
configured and maintained according to a security policy. For example, ensure that mobile devices do not
allow users to install software from unauthorized sources. An enterprise app store is one example of a way
to constrain device applications as part of overall mobile device management.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 SC-7 Boundary Protection
• NIST SP800-53 CM-6 Configuration Settings

Download the Siemens Mobile client from authorized sources

Siemens recommends that you download the Siemens Mobile client from one of these sources:
• Google Play Store
• Apple App Store

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 SC-7 Boundary Protection
• NIST SP 800-53 CM-6 Configuration Settings

Mobile devices should be secured

Siveillance Video 2019 76 SI SSP SH LPS COS Video

If you want to access the VMS with a mobile device over a public or untrusted network, Siemens
recommends that you do so with a secure connection, use proper authentication and Transport Layer
Security (TLS) (https://datatracker.ietf.org/wg/tls/charter/) (or connect through VPN
(https://datatracker.ietf.org/wg/ipsec/documents/)) and HTTPS. This helps protect communications
between the mobile device and the VMS.
Siemens recommends that mobile devices use screen-lock. This helps prevent unauthorized access to the
VMS, for example, if the smart phone is lost. For maximum security, implement a security policy to prohibit
the Siemens Mobile client from remembering the user name and password.

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 AC-17 Remote Access

• NIST SP 800-53 CM-6 Configuration Settings

Siveillance Video Web Client - advanced steps

Always run Siveillance Video Web Client on trusted client computers

Always securely connect all components of the VMS. Server-to-server and client-to-server connections
should use HTTPS and the latest TLS. Always run Siveillance Video Web Client on trusted computers, for
example, do not use a client computer in a public space. Siemens recommends that you educate users
about the security measures to remember when using browser-based applications, such as Siveillance
Video Web Client. For example, make sure they know to disallow the browser from remembering their
password.

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-2 Identification and Authentication

Use certificates to confirm the identity of a Siemens Mobile server

This document emphasizes the use of the latest TLS. With that comes the need for the proper use of
certificates and the implementation of the TLS cipher suite. Siemens recommends that you install a
certificate on the Siemens Mobile server to confirm the identity of the server when a user tries to connect
through Siveillance Video Web Client.
For more information, see the Edit certificates section in the Siemens Mobile Server 2016 –

Administrator Guide.

Learn more
The following control(s) provide additional guidance:
• NIST SP 800-53 AC-2 Account Management
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 IA-2 Identification and Authentication

Siveillance Video 2019 77 SI SSP SH LPS COS Video

Use only supported browsers with the latest security updates

Siemens recommends that you install only one of the following browsers on client computers. Make sure
to include the latest security updates.
• Apple Safari
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox

Learn more

The following control(s) provide additional guidance:

• NIST SP 800-53 CM-1 Configuration Management Policy and Procedures
• NIST SP 800-53 CM-2 Baseline Configuration
• NIST SP 800-53 CM-6 Configuration Settings
• NIST SP 800-53 PL-8 Information Security Architecture
• NIST SP 800-53 SI-3 Malicious Code Protection

Siveillance Video 2019 78 SI SSP SH LPS COS Video

Annexure 1

How to configure IPSec for a Windows 2012 R2 Setup

Requirements:
Two Windows Servers (for example, Server 1 and Server 2) are considered for IPSec configuration:
▪ The IP Addresses of both the servers
▪ A secret / key that can be used as a preshared key for the encrypted communication between the
Servers. Please note you should use a secure random number generator to create the PSK. We
recommend tools like KeePass in order to do so. Furthermore, we strongly recommend using a
unique PSK for each server-to-server IPSec configuration.

In the following description we show how to configure IPSec based on PSK. PSK offer only a minimum
level of security. In case your installation has high or very high security requirements, we recommend to
use certificates instead of PSK.

Instruction

You have to do the following steps on both of the two Windows Servers 2012 R2:
1. Add a new Connection Security Rule
2. Customize IPsec Settings

Both steps will be taken in the advanced settings of Windows Firewall. You may open it as shown in the
following two pictures.

Siveillance Video 2019 79 SI SSP SH LPS COS Video

Add a new Connection Security Rule
1. Right-click on the "Connection Security Rules" and click on "New Rule.

The New Connection Security Rule Wizard opens.

Siveillance Video 2019 80 SI SSP SH LPS COS Video

1. Select Server-to-Server as the rule type and click next.
2. The Endpoints Wizard opens:

Siveillance Video 2019 81 SI SSP SH LPS COS Video

3. The Endpoints will be your Windows Server 2012 R2.
4. Under the headline “Which computer are in Endpoint 1” select the option "These IP addresses".
5. Click "Add". The IP Address dialog box opens:

Siveillance Video 2019 82 SI SSP SH LPS COS Video

6. Enter the IP address of the Windows Server (Server 1) under the option “ This IP address or subnet”.
7. Click OK. You are able to view the New Connection Security Rule Wizard dialog box again.
8. Under the option “Which Computers are in Endpoint 2”, enter the IP address of Windows Server
(Server 2) in the IP Address dialog box.
9. Click OK. Endpoint 1 is Windows Server 1 and Endpoint 2 is Windows Server 2.
10. Click Next in the “New Connection Security Rule Wizard” dialog box.
11. The Requirement wizard opens:

Siveillance Video 2019 83 SI SSP SH LPS COS Video

12. Select "Require authentication for inbound and outbound connections.
13. Click “Next”. The “Authentication Method” wizard opens:

Siveillance Video 2019 84 SI SSP SH LPS COS Video

14. Select “Advanced” and click “Customize”.
15. The "Customize Advanced Authentication Methods" opens:

Siveillance Video 2019 85 SI SSP SH LPS COS Video

16. Under the “First authentication methods” column, click Add.
17. The “Add First Authentication Method" window opens:

Siveillance Video 2019 86 SI SSP SH LPS COS Video

18. Select "Preshared key" and enter the key for encryptomg the communication between the two
servers.
19. Click "OK".
20. The user can view the Preshared key under the First authentication methods column as shown
below:

Siveillance Video 2019 87 SI SSP SH LPS COS Video

21. Click “OK’.
22. Click Next in the “New Connection Security Rule Wizard”.
23. The ‘Profile’ wizard opens:

Siveillance Video 2019 88 SI SSP SH LPS COS Video

24. Select “Domain”, “Private” and “Public”.
25. Click “Next”.

Siveillance Video 2019 89 SI SSP SH LPS COS Video

 26. Enter a meaningful name for the security rule and add a description.
27. Select "Finish" to close the window "New Connection Security Rule Wizard".

Customize IPsec settings

In the following steps it is assumed, that you have a default setup of your Windows Server 2012 R2.
Depending on earlier modifications of you IPsec defaults, the menu entries on your system may differ from
the one shown in the tutorial.

The following steps are recommended.

The idea is to only have one possible security method for each goal, that offers a high security. In that way
it will not be possible to force a fallback on a weaker encryption for example.

1. Right-click on "Windows Firewall with Advanced Settings on Local Computer" in the list and click
"Properties".

Siveillance Video 2019 90 SI SSP SH LPS COS Video

2. The window "Windows Firewall with Advanced Security on Local Computer" opens:

3. Select the tab "IPSec Settings" and click "Customize" in the section "IPsec defaults".

Siveillance Video 2019 91 SI SSP SH LPS COS Video

4. The window "Customize IPsec Defaults" opens:

5. In the section "Key exchange (Main Mode)" select "Advanced" and click "Customize".
6. The window "Customize Advances Key Exchange Settings" opens:

Siveillance Video 2019 92 SI SSP SH LPS COS Video

7. Click on the following values, and select "Remove":
• Integrity: SHA-1
• Encryption: 3DES
• Key exchange algorithm: Diffie-Hellman Group 2
Note: As default this should be the second entry.

8. Afterwards select the entry with the following values:

• Integrity: SHA-1
• Encryption: AES-CBC 128
• Key exchange algorithm: Diffie-Hellman Group 2 (default)

Siveillance Video 2019 93 SI SSP SH LPS COS Video

9. Click Edit. The "Edit Security Method" opens:

Siveillance Video 2019 94 SI SSP SH LPS COS Video

10. Select the following values:

• Integrity algorithm: SHA-384

• Encryption algorithm: AES-CBC 256
• Key exchange algorithm: Elliptic Curve Diffie-Hellman P-384

11. Click “OK”.

12. In the section "Data protection (Quick Mode)" select "Advanced" and click "Customize.

Siveillance Video 2019 95 SI SSP SH LPS COS Video

13. The window "Customize Data Protection Settings" opens:

Siveillance Video 2019 96 SI SSP SH LPS COS Video

14. Select "Require encryption for all connection security rules that use these settings"
15. Select the entry in the list and click "Edit". The window "Edit Integrity and Encryption Algorithms"
opens:

Siveillance Video 2019 97 SI SSP SH LPS COS Video

16. In the section "Protocol" select "ESP (recommended)".
17. In the section Algorithms select the following:
• Encryption algorithm: AES-GCM 256
• Integrity algorihtm: AES-GMAC 256
18. In the section "Key lifetimes" select the following:
• Minutes: 60
• KB: 100.000
19. Click "OK".
20. In the section "Authentication method" select "Advanced" and click "Customize”.
21. The window "Customize Advanced Authentication Methods" opens:

Siveillance Video 2019 98 SI SSP SH LPS COS Video

22. Select the entry in the list in the section "First authentication" and click "Edit”.

Siveillance Video 2019 99 SI SSP SH LPS COS Video

23. The window "Edit First Authentication Method" opens.

24. Select "Preshared key" and enter the key that will be used for the encrypted communication between
the two servers and click "OK".
25. In the window "Customize Advanced Authentication Methods" the preshared key is listed on the left
side column of the First authentication method.

Siveillance Video 2019 100 SI SSP SH LPS COS Video

 26. Click "OK" in the window "Customize Advanced Authentication Methods".
27. Click "OK" in the window "Customize IPsec Defaults".
28. Click "OK" in the window "Windows Firewall with Advanced Security on Local Computers".
29. Close the window "Windows Firewall with Advanced Security" and follow the same procedure for the
second Windows Server 2012 R2.

Unsupported MSXML version

Siveillance Video is shipped with MSXML 4.0 which is no longer supported by Microsoft. A few legacy
device drivers require MSXML 4.0; however, the core Siveillance Video is compatible with later versions of
MSXML. Although there are no known issues about updating the MSXML component, please follow the
best practices with respect to rollback and post-update testing.

Annexure 2

What this instruction shows

How to generate a self-signed certificate with OpenSSL.
What you will need
OpenSSL installed on your machine
Instructions
To get a self-signed certificate you have to take three steps:

Siveillance Video 2019 101 SI SSP SH LPS COS Video

1) Generate a RSA private key
This key will be your private key and used to sign your certificate

2) Generate a CSR (Certificate Signing Request).

The result of this step is a file, which contains detailed information about the organisation, which the later
self-signed certificate is for.

3) Generate a self-signed Certificate

In this step you will use the private key from step 1) and the information file from step 2) and generate a
self-signed certificate.

Open OpenSSL in your console afterwards you will see a command prompt as follows:
OpenSSL>

Generate a RSA private key

OpenSSL> genrsa -aes256 -out ca.key 3072

You will be prompted to enter a password. This password is used as key to encrypt the private key. It is
highly recommended to encrypt the private key because it minimizes the chance of being stolen.
If any person without legitimation gets access to the private key, the trustworthiness of the corresponding
signature, and therefore all certificates signed with this signature, become obsolete.

Explanation:
This command generates a RSA private.
genrsa generates an RSA private key.
-aes256 encrypts the private key with 256 Bit AES.
-out ca.key saves the generated (encrypted) key in the file ca.key in the directory where OpenSSL was
started from.
4096 is the number of Bits the generated key has. NIST recommends a length of >= 3072

Output file of this step:

ca.key - The RSA private key.

Generate a CSR

OpenSSL> req -new -key ca.key -out request.csr

You will be prompted to give detailed information about the entity that will receive a certificate. It is very
important, that the hostname you will enter, is the same as the hostname of the receiver.
For example: If you protect a website https://my.hostname.com, you will have to enter the hostname
my.hostname.com.
If the certificates hostname and the real hostname differ from each other, the certificate will most likely not
be trusted from any receiver.
Explanation:
req creates and processes certificate requests
-new generates a new certificate request
-key ca.key takes the RSA private key generated in the first step

Siveillance Video 2019 102 SI SSP SH LPS COS Video

-out request.csr will output the request in the file request.csr in the directory where OpenSSL was started
from

Generate a self-signed certificate

OpenSSL> x509 -req -days 730 -in request.csr -signkey ca.key -out certificate.crt

Explanation:
This step generates the self-signed certificate.
X509 generates a self-signed certificate
-req will make OpenSSL expect a certificate request as input
-days 730 will make the certificate valid for 730 days, which is recommended by NIST
-in request.csr takes the CSR generated in the earlier step
-signkey ca.key takes the RSA private key generated in the first step
-out certificate.crt will output the certificate in the file certificate.crt in the directory where OpenSSL was
started from.

Siveillance Video 2019 103 SI SSP SH LPS COS Video

Appendix 1 - Resources

1. Axis Communications: Hardening Guide

http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf
2. Bosch Security Systems: Bosch IP Video and Data Security Guidebook
http://resource.boschsecurity.com/documents/Data_Security_Guideb_Special_en
US_22335871499.pdf
3. British Standard BS EN 62676-1-1: Video surveillance systems for use in security applications,
Part 1-1: System requirements – General. And related documents: Describes the minimum
requirements for a video surveillance system. http://shop.bsigroup.com/Browse-By-
Subject/Security/Electronic-Security- Systems/cctvstandards/ See also related standards here.
4. Center for Internet Security: The CIS Critical Security Controls for Effective Cyber Defense.
https://www.cisecurity.org/critical-controls.cfm
5. Cloud Security Alliance (CSA): https://cloudsecurityalliance.org/ and the Cloud Controls Matrix
https://cloudsecurityalliance.org/download/cloud-controls-matrix- v3-0-1/
6. Defense Information Systems Agency (DISA): Security Technical Implementation Guides
(STIGs) http://iase.disa.mil/stigs/Pages/index.aspx
7. Internet Engineering Task Force (IETF), multiple references https://www.ietf.org/
8. ISO/IEC 15048 Information technology - Security techniques - Evaluation criteria for IT security
http://www.iso.org/iso/catalogue_detail.htm?csnumber=50341
9. ISO/IEC 31000, Risk management – Principles and guidelines;
http://www.iso.org/iso/home/standards/iso31000.htm
10. ISO/IEC 31010, Risk management – Risk assessment techniques;
http://www.iso.org/iso/catalogue_detail?csnumber=51073
11. ISO 27001: A standard and framework for managing threats in an information security
management system (ISMS). http://www.iso.org/iso/iso27001
12. ISO 27002: Information technology — Security techniques — Code of practice for information
security controls https://www.iso.org/obp/ui/#iso:std:iso- iec:27002:ed-2:v1:en
13. Microsoft Security Update Guide: https://technet.microsoft.com/en-
us/security/dn550891.aspx see also Why We’re Not Recommending “FIPS Mode” Anymore
http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re- not-recommending-fips-
mode-anymore.aspx and Automating security configuration tasks
https://technet.microsoft.com/en-us/library/bb490776.aspx among others
14. National Institute of Standards and Technology: Computer Security Division Computer
Security Resource Center http://csrc.nist.gov/
15. National Institute of Standards and Technology: Cybersecurity Framework
http://www.nist.gov/cyberframework/
16. National Institute of Standards and Technology: Guide for Applying the Risk Management
Framework to Federal Information Systems http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/sp800-37-rev1-final.pdf

Siveillance Video 2019 104 SI SSP SH LPS COS Video

 17. National Institute of Standards and Technology: Managing Information Security Risk
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
18. National Institute of Standards and Technology: Security and Privacy Controls for Federal
Information Systems and Organizations SP 800-53- Revision 4
http://dx.doi.org/10.6028/NIST.SP.800-53r4 and Pre-Draft Revision 5
http://csrc.nist.gov/groups/SMA/fisma/sp800-53r5_pre-draft.html
19. NIST SP 800-100 Information Security Handbook: A Guide for Managers
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
20. NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800- 124r1.pdf
21. SANS institute website: https://sans.org and the SANS Critical Security Controls
https://www.sans.org/critical-security-controls/

Appendix 2 - Acronyms

AD – Active Directory
CSA – Cloud Security Alliance
CVE – Common Vulnerabilities and Exposures HTTP
– Hypertext Transfer Protocol
HTTPS – Hypertext Transfer Protocol Secure IEC –
International Electrotechnical Commission IETF –
Internet Engineering Task Force
IP – Internet Protocol
ISO – International Standards Organization IT –
Information Technology
KB – Knowledge Base
NIST – National Institute of Standards and Technology RSTP –
Rapid Spanning Tree Protocol
SMTP – Simple Mail Transfer Protocol SSL –
Secure Socket Layer
STIG – Security Technical Information Guide
TCP – Transmission Control Protocol TLS-
Transport Layer Security
UDP – User Datagram Protocol VMS –
Video Management Software VPN –
Virtual Private Network
Issued by Cyber security disclaimer
Siemens Switzerland Ltd Siemens provides a portfolio of products, solutions, systems and
Smart Infrastructure services that includes security functions that support the secure
International Headquarters operation of plants, systems, machines and networks. In the field of
Theilerstrasse 1 a Building Technologies, this includes building automation and control,
6300 Zug, fire safety, security management as well as physical security
Schweiz. systems.
Phone : +41 41 724 24 24 In order to protect plants, systems, machines and networks against
cyber threats, it is necessary to implement – and continuously
maintain – a holistic, state-of-the-art security concept. Siemens’
portfolio only forms one element of such a concept.
You are responsible for preventing unauthorized access to your
plants, systems, machines and networks which should only be
connected to an enterprise network or the internet if and to the
extent such a connection is necessary and only when appropriate
security measures (e.g. firewalls and/or network segmentation) are
in place. Additionally, Siemens’ guidance on appropriate security
measures should be taken into account. For additional information,
please contact your Siemens sales representative or visit
http://www.siemens.com/industrialsecurity.
Siemens’ portfolio undergoes continuous development to make it
more secure. Siemens strongly recommends that updates are
applied as soon as they are available and that the latest versions are
used. Use of versions that are no longer supported, and failure to
apply the latest updates may increase your exposure to cyber
threats. Siemens strongly recommends to comply with security
advisories on the latest security threats, patches and other related
measures, published, among others, under

For additional information on building technology security and our

offerings, contact your Siemens sales or project department. We
strongly recommend signing up for our security advisories, which
provide information on the latest security threats, patches and other
mitigation measures
http://www.siemens.com/cert/en/cert-security-advisories.htm.
Technical specifications and availability subject to change without
notice.