How can I protect my security system, from an IT security perspective?
The attached document explains how the security system can be hardened. Additionally the BVMS - Network Design Guide includes best practices for desgning a secure network.
BVMS Mobile Video Service - Creating a Self-Signed Certificate to establish a trusted connection
Some sites may request or require that the connection to the Mobile Video Service is a trusted connection. The following procedure will allow you to create a self signed certificate to allow a trusted connection between a web browser and MVS.
-Navigate to the Microsoft Management Console
Run command mmc.exe
Go to File ---> Add/Remove Snap-in…
Highlight Certificates and Add for Computer Account
You should see certificates listed for Local Computer
Save a copy of this console to the Desktop
-Run Windows PowerShell ‘as administrator’ on the MVS Server
Run the following commands in Windows Power Shell to create the self-signed certificate including the IP address of the MVS and the DNS name so both will work when accessing from a web browser.
$todaydt = Get-Date
$20years = $todaydt.AddYears(20)
New-SelfSignedCertificate -DnsName "mvsIPaddress",”DNSname” -notafter $20years
If creation was successful, you will see a thumbprint with a hash as well as the subject CN=ipaddress
-Navigate back to your saved MMC console
Find the newly created certificate under the Personal ---> Certificates directory
Copy the Certificate to Trusted Root Certification Authorities ---> Certificates directory
-Navigate to the IIS Manager
Highlight the server machine name on the top-left and then double-click Server Certificates
Double-click the created certificate and verify that a private key corresponds to the certificate and that the certificate is OK under the Certification Path
Expand the server machine name on the left to reveal the Sites
Select Bindings… on the far right-hand side
Edit the Binding for 443
Select the newly created certificate under the SSL certificate dropdown
Click Yes that you want to change the binding
Add… new binding
Choose BoschVms in the SSL certificate dropdown
-Navigate to the BVMS Config Client to edit the MVS URL
Change the MVS URL to reflect port 444
Red X should go away
Save/Activate (BVMS will be bound on the new port and still be able to communicate with the MVS server
-Open Internet Explorer (as administrator) and navigate to the MVS URL using the IP address or the DNS Name
Continue to the site with the certificate error
Click on the certificate error in the navigation bar
Click View Certificates and then Install Certificate
Install for the Local Machine
Place certificate in the Trusted Root Certification Authorities store
Click Finish and close out the browser
Open IE again and navigate back to the MVS. There should be no more error.
*The reason behind changing the port to 444 is to make browser access for basic users easier. This way basic users only have to enter the IP address or DNS name and do not have to enter a special port in the URL.
When installing Configuration Manager v6.20.0102 on Windows 10 and error message is received during installation of .NET Framework v4.7.2 that states:
The .NET Framework 4.7.2 is not supported on this operating system.
Windows 10 requires frequent updates that must be installed to keep the system compatible with new software installations. Windows 10 periodically releases a features update package that provides new features and compatibility. These are required for version of .NET framework installation.
Windows 10 release Information
Feature updates for Windows 10 are released twice a year, around March and September, via the Semi-Annual Channel and will be serviced with monthly quality updates for 18 months from the date of the release.
We recommend that you begin deployment of each Semi-Annual Channel release immediately as a targeted deployment to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible.
Above except from Microsoft's Windows 10 Release information document: https://docs.microsoft.com/en-us/windows/release-information/
Option 1 - This option will require an active internet connection.
Using the windows search function (Windows key+S), search for "Windows Update Setting"
Click "Check for Updates"
Install all available updates
Option 2 - This option will not require an internet connection. It will require multiple steps be performed per the Microsoft websites guidelines to create and burn a windows update DVD using a downloadable .ISO file provided directly from Microsoft.
You can find these instructions and links on Microsoft's website here: https://www.microsoft.com/en-au/software-download/windows10
Microsoft Event Logging, when an error occurs, the system administrator or Integrator must determine what caused the error. The operator can then use the event log to help determine what conditions caused the error and identify the context in which it occurred.
Starting Event Viewer
The procedure for starting Event Viewer depends on your starting point, e.g. windows key + R type in ”eventvwr.msc” hit enter.
With the decent administrative access, you can select any computer in your network to view that Microsoft system event logs.
To select computers in Event Viewer:
In the top of the console tree, right-click Event Viewer (local), and then click Connect to another computer.
Enter FQDN/NetBIOS name or browser to the regarding machine
Adjusting Event Viewer Settings
In the console tree, right-click the appropriate log file, and then click Properties. Click the General tab.
Saving Event Logs
In the console tree, right-click the appropriate log file, and then click Save Log File As. Navigate to the subfolder in which you want to save the file, type a name for the file, click the file type, and then click Save.
Clearing Event Logs
In the console tree, right-click the appropriate log file, and then click clear all Events. You are prompted for whether you want to save the log to a file before clearing it. Click “Yes” to save a log and clear all events. If you click No, the log is not saved, but all events are cleared from the selected Event log. If you click Cancel, the request to clear the log is canceled.
Viewing Event Details
In the console tree, right-click the appropriate log file. A list of events in the log file is displayed in the details pane of Event Viewer. Click a specific event in the details pane to display the Event Properties dialog box and details about the event.
In the console tree, right-click the appropriate log file, and then click Properties. Click the Filter tab. Type the appropriate information that you would like to filter.
In the console tree, right-click the appropriate log file. On the View menu, click Find. Type the appropriate information that you would like to find in the dialog box, and then click Find Next.
An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.
An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.
An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts.
An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event.
An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.
The events themselves are what we’re trying to see, of course, and their usefulness can range from really specific and obvious things that you can fix easily to the totally undefined messages that don’t make any sense and you can’t find any information on your preferred search engine. example:
The regular fields on the display contain:
Log Name – while in older versions of Windows everything got dumped into the Application or System log, in the more modern editions there are dozens or hundreds of different logs to choose from. Each Windows component will most likely have its own log.
Source – this is the name of the software that generates the log event. The name usually doesn’t directly match with a filename, of course, but it is a representation of which component did it.
Event ID – the all-important Event ID can actually be a little confusing. If you were to Google for “event ID 122” that you see in the next screenshot, you wouldn’t end up with very useful information unless you also include the Source, or application name. This is because every application can define their own unique Event IDs.
Level – This tells you how severe the event is – Information just tells you that something has changed or a component has started, or something has completed. Warning tells you that something might be going wrong, but it isn’t all that important yet. Error tells you that something happened that shouldn’t have happened, but isn’t always the end of the world. Critical, on the other hand, means something is broken somewhere, and the component that triggered this event has probably crashed.
User – this field tells you whether it was a system component or your user account that was running the process that caused the error. This can be helpful when looking through things.
OpCode – this field theoretically tells you what activity the application or component was doing when the event was triggered. In practice, however, it will almost always say “Info” and is pretty useless.
Computer – on your home desktop, this will usually just be your PC’s name, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect Event Viewer to another PC or server.
Task Category – this field is not always used, but it ends up basically being an informational field that tells you a bit more information about the event.
Keywords – this field is not usually used, and generally contains useless information.
As a rule of thumb (common way of doing), you should try searching by the general description, or the Event ID and the source, or a combination of those values. Just remember that the Event ID is unique for each application. So there is a lot of overlap and you can’t just search for “Event ID 122” only. This is because users might find the list is too large and too general, your specific search aspect might not fit your issue.
In all VRM installation packages the required .NET framework package is included in the VRM installation routine.
As Microsoft Operating Systems are expected to get and have the latest security updates applied before installing any new software component like VRM (Video Recording Manger) or VSG (Video Streaming Gateway), the installer will successfully finish the installation routine. The same is valid for BOSCH DIVAR IP product range: The DIVAR IP Appliance installer contains Microsoft update packages available from Microsoft at the time BOSCH creates the Appliance installer. But all Microsoft Updates release after the Appliance installer release date are not included in the BOSCH package. It is therefore recommended to check for Microsoft updates whenever a Bosch DIVAR IP Appliance installer is installed.
For VRM (Video Recording Manager) stand-alone Systems and Servers with VSG (Video Streaming Gateway) installed, it is also strongly recommended to check for Microsoft OS updates before the VRM Master Installer is installed/updated.
Note: In case an error code 5100 is shown during the VRM Software installation, please ensure that all Microsoft updates for the used Operating Systems are installed and run the BOSCH Software installer after that once again. For more details Microsoft provides more informaiton here: https://blogs.msdn.microsoft.com/astebner/2008/10/13/net-framework-setup-verification-tool-users-guide/
For older BVMS and VRM installations please also refer to the following previous article:
How can I migrate the full configuration (including server configuration and user settings) of a BVMS system from one server to another?
(please note that, currently, the export mechanisms provided in the BVMS Configuration Client do not export the userdata. This is a known problem and being worked on. Until then this work-around should be applied).
Stop the BVMS Central Server service on the existing server from the Windows task manager or Services overview.
Stop the BVMS Central Server service on the new server from the Windows task manager or Services overview.
Copy the contents of the directory C:\programdata\Bosch\VMS\UserData on the existing server to the same directory on the new server (via the network or other media).
Copy the "elements.bvms" file located in the directory C:\programdata\Bosch\VMS\ on the existing server to the same location on the new server (via the network or other media).
Start the BVMS Central Server service on the new server from the Windows task manager or Services overview.