How can I protect my security system, from an IT security perspective?
The attached document explains how the security system can be hardened. Additionally the BVMS - Network Design Guide includes best practices for desgning a secure network.
What is the decoding performance of BVMS? How many cameras can I open on the screen before the systems is overloaded (and frames are being dropped)?
The BVMS client performance overview is attached to this article and shows, based on several workstation configurations and a specific BVMS version, how many cameras can be opened before the workstation is overloaded.
BVMS Installer - Windows Pending Restart Message
The pop-up dialog window message: "Setup has detected a pending restart. Please reboot the system and rerun the installation" appears when attempting to run the valid BVMS windows installer package.
BVMS Installer Pending Restart Message
This is a known Windows specific problem when another (non-BVMS) installer does not properly manage its creation and deletion of the “PendingFileRenameOperations” registry key. The most common user created way for this key value to be left resident in the system is when an installation prompts for a restart, yet the system is not expeditiously restarted.
A. Restart the affected workstation
B. If the issue still persists, delete the orphaned "PendingFileRenameOperations" registry key value
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\"
In the right navigation pane, right-click the "PendingFileRenameOperations" key value and select delete
Close Registry Editor.
Run the software Installer again as Administrator
Note: This message is not a Bosch product failure message. This is a problem within windows and it's registry clean-up handling. This is a Windows work around.
BVMS Mobile Video Service - Creating a Self-Signed Certificate to establish a trusted connection
Some sites may request or require that the connection to the Mobile Video Service is a trusted connection. The following procedure will allow you to create a self signed certificate to allow a trusted connection between a web browser and MVS.
-Navigate to the Microsoft Management Console
Run command mmc.exe
Go to File ---> Add/Remove Snap-in…
Highlight Certificates and Add for Computer Account
You should see certificates listed for Local Computer
Save a copy of this console to the Desktop
-Run Windows PowerShell ‘as administrator’ on the MVS Server
Run the following commands in Windows Power Shell to create the self-signed certificate including the IP address of the MVS and the DNS name so both will work when accessing from a web browser.
$todaydt = Get-Date
$20years = $todaydt.AddYears(20)
New-SelfSignedCertificate -DnsName "mvsIPaddress",”DNSname” -notafter $20years
If creation was successful, you will see a thumbprint with a hash as well as the subject CN=ipaddress
-Navigate back to your saved MMC console
Find the newly created certificate under the Personal ---> Certificates directory
Copy the Certificate to Trusted Root Certification Authorities ---> Certificates directory
-Navigate to the IIS Manager
Highlight the server machine name on the top-left and then double-click Server Certificates
Double-click the created certificate and verify that a private key corresponds to the certificate and that the certificate is OK under the Certification Path
Expand the server machine name on the left to reveal the Sites
Select Bindings… on the far right-hand side
Edit the Binding for 443
Select the newly created certificate under the SSL certificate dropdown
Click Yes that you want to change the binding
Add… new binding
Choose BoschVms in the SSL certificate dropdown
-Navigate to the BVMS Config Client to edit the MVS URL
Change the MVS URL to reflect port 444
Red X should go away
Save/Activate (BVMS will be bound on the new port and still be able to communicate with the MVS server
-Open Internet Explorer (as administrator) and navigate to the MVS URL using the IP address or the DNS Name
Continue to the site with the certificate error
Click on the certificate error in the navigation bar
Click View Certificates and then Install Certificate
Install for the Local Machine
Place certificate in the Trusted Root Certification Authorities store
Click Finish and close out the browser
Open IE again and navigate back to the MVS. There should be no more error.
*The reason behind changing the port to 444 is to make browser access for basic users easier. This way basic users only have to enter the IP address or DNS name and do not have to enter a special port in the URL.
This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
BVMS Lite is a BVMS edition which can be downloaded and activated free-of-charge. How can I set-up a basic (live and recorded video) BVMS Lite system?
First, you need to download the software package, active the BVMS Lite license and install the software. This is described in this article: BVMS - Activating a license.
Second, you need to prepare an iSCSI environment which is suitable for recording video. Any Windows Server based operating system will do. This is described in this article: BVMS - Configuring a Microsoft iSCSI target.
Last, you need to add cameras to the system and start the recording. This is described in this youtube video: How to add a new camera using Configuration Client (BVMS).
Now, have a look at the Operator Client quick guide and you're ready to go!
Where can I get more information on advanced functionality?
Once the software (configuration client or operator client) is running you can press F1 at any time to open the embedded software help! All of the advanced functionality BVMS offers is explained in the help files.
When installing Configuration Manager v6.20.0102 on Windows 10 and error message is received during installation of .NET Framework v4.7.2 that states:
The .NET Framework 4.7.2 is not supported on this operating system.
Windows 10 requires frequent updates that must be installed to keep the system compatible with new software installations. Windows 10 periodically releases a features update package that provides new features and compatibility. These are required for version of .NET framework installation.
Windows 10 release Information
Feature updates for Windows 10 are released twice a year, around March and September, via the Semi-Annual Channel and will be serviced with monthly quality updates for 18 months from the date of the release.
We recommend that you begin deployment of each Semi-Annual Channel release immediately as a targeted deployment to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
Above except from Microsoft's Windows 10 Release information document: https://docs.microsoft.com/en-us/windows/release-information/
Option 1 - This option will require an active internet connection.
Using the windows search function (Windows key+S), search for "Windows Update Setting"
Click "Check for Updates"
Install all available updates
Option 2 - This option will not require an internet connection. It will require multiple steps be performed per the Microsoft websites guidelines to create and burn a windows update DVD using a downloadable .ISO file provided directly from Microsoft.
You can find these instructions and links on Microsoft's website here: https://www.microsoft.com/en-au/software-download/windows10
Microsoft Event Logging, when an error occurs, the system administrator or Integrator must determine what caused the error. The operator can then use the event log to help determine what conditions caused the error and identify the context in which it occurred.
Starting Event Viewer
The procedure for starting Event Viewer depends on your starting point, e.g. windows key + R type in ”eventvwr.msc” hit enter.
With the decent administrative access, you can select any computer in your network to view that Microsoft system event logs.
To select computers in Event Viewer:
In the top of the console tree, right-click Event Viewer (local), and then click Connect to another computer.
Enter FQDN/NetBIOS name or browser to the regarding machine
Adjusting Event Viewer Settings
In the console tree, right-click the appropriate log file, and then click Properties. Click the General tab.
Saving Event Logs
In the console tree, right-click the appropriate log file, and then click Save Log File As. Navigate to the subfolder in which you want to save the file, type a name for the file, click the file type, and then click Save.
Clearing Event Logs
In the console tree, right-click the appropriate log file, and then click clear all Events. You are prompted for whether you want to save the log to a file before clearing it. Click “Yes” to save a log and clear all events. If you click No, the log is not saved, but all events are cleared from the selected Event log. If you click Cancel, the request to clear the log is canceled.
Viewing Event Details
In the console tree, right-click the appropriate log file. A list of events in the log file is displayed in the details pane of Event Viewer. Click a specific event in the details pane to display the Event Properties dialog box and details about the event.
In the console tree, right-click the appropriate log file, and then click Properties. Click the Filter tab. Type the appropriate information that you would like to filter.
In the console tree, right-click the appropriate log file. On the View menu, click Find. Type the appropriate information that you would like to find in the dialog box, and then click Find Next.
An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.
An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.
An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts.
An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event.
An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.
The events themselves are what we’re trying to see, of course, and their usefulness can range from really specific and obvious things that you can fix easily to the totally undefined messages that don’t make any sense and you can’t find any information on your preferred search engine. example:
The regular fields on the display contain:
Log Name – while in older versions of Windows everything got dumped into the Application or System log, in the more modern editions there are dozens or hundreds of different logs to choose from. Each Windows component will most likely have its own log.
Source – this is the name of the software that generates the log event. The name usually doesn’t directly match with a filename, of course, but it is a representation of which component did it.
Event ID – the all-important Event ID can actually be a little confusing. If you were to Google for “event ID 122” that you see in the next screenshot, you wouldn’t end up with very useful information unless you also include the Source, or application name. This is because every application can define their own unique Event IDs.
Level – This tells you how severe the event is – Information just tells you that something has changed or a component has started, or something has completed. Warning tells you that something might be going wrong, but it isn’t all that important yet. Error tells you that something happened that shouldn’t have happened, but isn’t always the end of the world. Critical, on the other hand, means something is broken somewhere, and the component that triggered this event has probably crashed.
User – this field tells you whether it was a system component or your user account that was running the process that caused the error. This can be helpful when looking through things.
OpCode – this field theoretically tells you what activity the application or component was doing when the event was triggered. In practice, however, it will almost always say “Info” and is pretty useless.
Computer – on your home desktop, this will usually just be your PC’s name, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect Event Viewer to another PC or server.
Task Category – this field is not always used, but it ends up basically being an informational field that tells you a bit more information about the event.
Keywords – this field is not usually used, and generally contains useless information.
As a rule of thumb (common way of doing), you should try searching by the general description, or the Event ID and the source, or a combination of those values. Just remember that the Event ID is unique for each application. So there is a lot of overlap and you can’t just search for “Event ID 122” only. This is because users might find the list is too large and too general, your specific search aspect might not fit your issue.
In all VRM installation packages the required .NET framework package is included in the VRM installation routine.
As Microsoft Operating Systems are expected to get and have the latest security updates applied before installing any new software component like VRM (Video Recording Manger) or VSG (Video Streaming Gateway), the installer will successfully finish the installation routine. The same is valid for BOSCH DIVAR IP product range: The DIVAR IP Appliance installer contains Microsoft update packages available from Microsoft at the time BOSCH creates the Appliance installer. But all Microsoft Updates release after the Appliance installer release date are not included in the BOSCH package. It is therefore recommended to check for Microsoft updates whenever a Bosch DIVAR IP Appliance installer is installed.
For VRM (Video Recording Manager) stand-alone Systems and Servers with VSG (Video Streaming Gateway) installed, it is also strongly recommended to check for Microsoft OS updates before the VRM Master Installer is installed/updated.
Note: In case an error code 5100 is shown during the VRM Software installation, please ensure that all Microsoft updates for the used Operating Systems are installed and run the BOSCH Software installer after that once again. For more details Microsoft provides more informaiton here: https://blogs.msdn.microsoft.com/astebner/2008/10/13/net-framework-setup-verification-tool-users-guide/
For older BVMS and VRM installations please also refer to the following previous article:
How can I migrate the full configuration (including server configuration and user settings) of a BVMS system from one server to another?
(please note that, currently, the export mechanisms provided in the BVMS Configuration Client do not export the userdata. This is a known problem and being worked on. Until then this work-around should be applied).
Stop the BVMS Central Server service on the existing server from the Windows task manager or Services overview.
Stop the BVMS Central Server service on the new server from the Windows task manager or Services overview.
Copy the contents of the directory C:\programdata\Bosch\VMS\UserData on the existing server to the same directory on the new server (via the network or other media).
Copy the "elements.bvms" file located in the directory C:\programdata\Bosch\VMS\ on the existing server to the same location on the new server (via the network or other media).
Start the BVMS Central Server service on the new server from the Windows task manager or Services overview.
How can I find the source (details of the workstation) and credentials that are used to attempt to login into BVMS (when the attempt has failed)?
The username that is used to login is saved into the BVMS logbook and can be found by searching the logbook from the Operator Client (username of login is "blabla").
The details of the workstation (mainly the IP address) is logged into the BVMS client log files. These can be found on the workstations in the directory: C:\ProgramData\Bosch\VMS\Log
(Hint: for log file analysis a lot of free / open source tools are available. Snaketail is one of these tools, and can be found here.)
Open the BVMSClientLog.txt (there could be multiple files which are all related to a different timeframe) and search for the phrase "InvalidCredentialException". If an user has tried to login to the system the following log lines should be present in the log file:
2019-03-17 18:31:53,668 75516 [GUI Thread] INFO Bosch.Vms.Frontend.OpClient.Wcf.DataAccessServiceClient ConnectAndAuthenticate - Call failed with InvalidCredentialException
2019-03-17 18:31:53,670 75518 [GUI Thread] INFO Bosch.Vms.Frontend.OpClient.ServerManagement.CentralServerManager AuthenticateAtMainServer - Main-Server 192.168.20.190: WCF online authentication result is WrongUserOrPassword
This needs to be checked for every workstation which runs the BVMS Operator Client.
The entire BVMS installation package, available on the downloadstore, contains the client as well as the server components. When a BVMS client needs to be deployed, all of this data (over 2.5GB) needs to be copied to the target workstation, which can be quite a challenge in some environments.
Once the BVMS Management Server is set-up, it creates a client installation package (mainly used for the auto-upgrade functionality). This client installation package is a lot smaller compared to the full installation package and is located on the BVMS Management Server (assuming the default installation directory is used):
In order to use the client installation package: copy all the files in this directory from the management server to the new workstation and start BVMS.msi (please note Setup.exe will trigger the auto update mechanism, which will not work as there are no existing components to be updated). The MSI will start the installation process and will allow you to select Operator Client, Configuration client and/or SDK. Please note:
The correct version of the .NET framework will need to be installed manually before this procedure is used. This can be found in the zip file available in the product catalogue: “zip file extraction location”\ISSetupPrerequisites\Microsoft .NET Framework x.x.
When using the BVMS 9.0 installer on a Windows 10 "October 2018 update" machine (Build 1809) the SNMP services cannot be installed.
Microsoft has changed the way the SNMP services are installed in Windows 10 "October 2018 update".
The SNMP services need to be installed manually.
This can be done by opening the new "Settings App“:
Manage optional Features
It can also be done using Powershell:
DISM /online /Add-Capability /CapabilityName:SNMP.Client~~~~0.0.1.0
Bosch software is distributed via the Bosch website, but can also be re-distributed by Bosch partners. It is important for the system-installer to check if the installation file he or she has received, matches exactly with the output of the engineering process. There are several risks that, in the distribution path, changes are made to the installation file. Keyloggers or other spyware could be added to the installation, or in theory video surveillance footage could be routed to external resources.
The attached document describes how the integrity of software can be checked.