security reference guide: crestron® control systems
TRANSCRIPT
Crestron® Control Systems
Security Reference GuideCrestron Electronics, Inc.
Original InstructionsThe U.S. English version of this document is the original instructions.All other languages are a translation of the original instructions.
Crestron product development software is licensed to Crestron dealers and Crestron Service Providers (CSPs)under a limited nonexclusive, nontransferable Software Development Tools License Agreement. Crestronproduct operating system software is licensed to Crestron dealers, CSPs, and end-users under a separate End-User License Agreement. Both of these Agreements can be found on the Crestron website atwww.crestron.com/legal/software_license_agreement.
The product warranty can be found at www.crestron.com/warranty.
The specific patents that cover Crestron products are listed at www.crestron.com/legal/patents.
Certain Crestron products contain open source software. For specific information, visitwww.crestron.com/opensource.
Crestron, the Crestron logo, 3-Series, Crestron Toolbox, DigitalMedia, and Fusion RoomView are eithertrademarks or registered trademarks of Crestron Electronics, Inc. in the United States and/or other countries.Active Directory, Microsoft, Windows, and Windows Server are either trademarks or registered trademarks ofMicrosoft Corporation in the United States and/or other countries. Ethernet is either a trademark or registeredtrademark of Xerox Corporation in the United States and/or other countries. Other trademarks, registeredtrademarks, and trade names may be used in this document to refer to either the entities claiming the marksand names or their products. Crestron disclaims any proprietary interest in the marks and names of others.Crestron is not responsible for errors in typography or photography.
©2020 Crestron Electronics, Inc.
Contents
Revision History 1
Introduction 2
Suggested System Configuration 3Architecture 3Firewall Rules in Normal Operation 5Firewall Rules in Isolation Mode 6
Assumptions 8
Common Steps 9
Optional Steps 10SecureConnections 10Web Server 10Set Lock Out Configuration 10Blocked IP Address Functions 11
Set Password Rules 13Other Password Commands 14
AuthenticateUsing ActiveDirectory® Software 14Add Local or ActiveDirectory User to a Local Group 14Remove Local or ActiveDirectory User from a Local Group 15Add ActiveDirectory Group 15Delete ActiveDirectory Group 15List Users 16List GroupUsers 16List Local Groups 16List ActiveDirectory Groups 16ShowUser Information 17Who CommandChange 17
Install a Certificate 18Disable Crestron Cloud 18Set Idle TimeOut 19Setup Audit Loss 20802.1x Authentication 23
Security Protocols 26
More About User Groups 27
TSW Touch Screens 28
Security Reference Guide — Doc. 8563H Contents • i
DigitalMedia™ Devices 29Matrix Switches 29Transmitter and Receiver Devices 29
Enabling Remote Access 30
ii • Contents Security Reference Guide — Doc. 8563H
iii • Contents Security Reference Guide — Doc. 8563H
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 1
Revision History
Please send comments and change recommendations to [email protected].
Version Date Notes Author
A February 23,2015
Release Version JP
B March 13,2015
AddedWeb Server Information JP
C March 23,2015
Added disabling of TSW Setup Key Sequence JP
D May 6, 2015 Added information regarding Remote Access JP
E June 9, 2015 Corrected CIPHER command JP
F April 22,2016
Updated to 1.5xx firmware (keep SSH enabled) and addition of DMMatrix Switch Information
JP
G July 18, 2016 Added SECUREGATEWAYMODE information JP
H April 14,2020
Formatted to Crestron branding standards. TP
2 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Introduction
This document describes the steps needed to harden aCrestron® installation and assumesa basic understanding of security functions and protocols.
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 3
Suggested System Configuration
Crestron® control devices are created using a variety of platforms and processors. Incertain cases, devices are unable to provide the full set of security features needed forspecific solutions.
Crestron’s CP3N, AV3, and PRO3 all feature theCrestron Control Subnet, which providesan easy way to create a newEthernet® network dedicated to Crestron’s Ethernet devices.TheControl Subnet simplifies setting up a dedicated Crestron LAN. As such, theControlSubnet has aDHCP andDNS Server. TheControl Subnet is designed as a fully functionalfirewall/router, and the control system andCrestron tools will open up ports as needed.
Devices on theControl Subnet are able to reach out to thewider LAN by default, but othertraffic into theControl Subnet is limited to Crestron tools.
To further restrict the system, the 3-Series® processor supports Isolation Mode, where thefirewall is configured so that no traffic can traverse from the LAN to the devices on theControl Subnet nor from theControl Subnet to the LAN. Using this mechanism,customers can protect their corporate LAN from devices on theControl Subnet.
ArchitectureEven if nothing is plugged into theControl Subnet port on the back of the control system,there are still some devices on theControl Subnet:
l Control System CPU (where AV Programs run)
l Optional Expansion cards (PRO3 and AV3 only)
This design ensures that theCrestron CPU and optional expansion cards are protectedfrommalicious packets on the LAN. The diagram below illustrates howall of thecomponents work together:
The firewall rules only allow in traffic that theCPU perceives. As such, a port scan will onlyshowports that theCPU perceives. Users have the ability to set upmanual portforwarding rules to make custom connections to the devices on theControl Subnet.
4 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Crestron’s management utility, Crestron Toolbox™ software, creates custom portforwarding rules in the 64000-64299 range to enablemanagement of the devices on theControl Subnet. These port forwarding rules are createdwhen the tool connects. The rulesare broken downwhen the tool disconnects or when the device is rebooted.
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 5
Firewall Rules in Normal Operation
Under normal operation procedures, the firewall on theCS Router is set as such:
FUNCTION TYPEDESTINATION
PORTFROM(Sender)
TO(Listener)
NOTES
FTP TCP 21 Inboundfrom LAN
To CPU If enabled incontrol systemprogram. FTPis disabled inmost cases.
SSH TCP 22 Inboundfrom LAN
To CPU
Telnet TCP 23 Inboundfrom LAN
To CPU If enabled incontrol systemprogram.
Web TCP 80 & 443 Inboundfrom LAN
To CPU If enabled incontrol systemprogram.
Flash Policy TCP 843 Inboundfrom LAN
To CPU If enabled incontrol systemprogram.
Crestron communicationprotocols
TCP/UDP 41794-41797 Inboundfrom LAN
To CPU CrestronTerminalProtocol isdisabled inrecent builds.Most devicesuse SSH.
Programmatic listeners TCP/UDP Listen Portsused byprogram
Inboundfrom LAN
To CPU
Allows Crestron Managementtool to access devices on theControl Subnet. Ports areopened and closed as needed.
TCP 64000-64299 Inboundfrom LAN
Todeviceson CS
All outbound traffic is allowed. TCP/UDP Any Port ControlSubnetOutboundto LAN
Allowed
Allows the end-user to domanual port forwarding todevices on the Control Subnet.
TCP/UDP User Defined Inboundfrom LAN
UserDefined
6 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Firewall Rules in Isolation Mode
When Isolation Mode is enabled, the rules are as such:
FUNCTION TYPEDESTINATION
PORTFROM(Sender)
TO(Listener)
NOTES
FTP TCP 21 Inboundfrom LAN
To CPU If enabled incontrol systemprogram. FTP isdisabled in mostcases.
SSH TCP 22 Inboundfrom LAN
To CPU
Telnet TCP 23 Inboundfrom LAN
To CPU If enabled incontrol systemprogram.
Web TCP 80 & 443 Inboundfrom LAN
To CPU If enabled incontrol systemprogram.
Flash Policy TCP 843 Inboundfrom LAN
To CPU If enabled incontrol systemprogram.
Crestron communicationprotocols
TCP/UDP 41794-41797 Inboundfrom LAN
To CPU CrestronTerminalProtocol isdisabled inrecent builds.Most devices useSSH.
Programmatic listeners TCP/UDP Listen Portsused byprogram
Inboundfrom LAN
To CPU
Crestron's tools cannotconnect to any devices onthe Control Subnet.
TCP 64000-64299 Inboundfrom LAN
BLOCKED
Allows the control systemCPU to communicate withboth the LAN and theControl Subnet.
TCP/UDP Any ClientPorts used byprogram
ControlSubnetOutboundto LAN
FromCPU:Allowed
No outbound traffic isallowed.
TCP/UDP Any Port ControlSubnetOutboundto LAN
All otherdevices:BLOCKED
No port forwarding can bemanaged by the user.
TCP/UDP User Defined Inboundfrom LAN
BLOCKED
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 7
Alongwith the firewall rules, Isolation Mode also disables the functionality needed formaking port mappings by either the user or Crestron tools. Therefore, in Isolation Mode,not even Crestron’s tools can connect to the devices on theControl Subnet.
The only device that can communicatewith both the LAN and theControl Subnet inIsolation Mode is theControl System CPU.
8 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Assumptions
Crestron assumes the following about the operating environment of its systems:
1. The system is not capable of dual authorization. If your organization's policyrequires dual authorization, you cannot use the system.
2. Physical security, commensuratewith the value of the system and the data itcontains, is assumed to be provided by the environment.
3. Administrators are trusted to follow and apply all administrator guidance.
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 9
Common Steps
Take the following steps when hardening aCrestron control system:
1. Input the command AUTH ON. You will be prompted for the nameand password ofan Administrator account. Do not lose this information. The system cannot beaccessedwithout this information.
2. Create other users and assign them to groups as desired. Refer to More About UserGroups (on page 27) for more information.
3. Input the command CIPHER STRONG.
4. If your installation requires Banners, please copy the Banner to the following devicefolder: /SSHBanner/banner.txt.
At this time, FTP, HTTP, and TELNET services will be disabled. HTTPS will continue to beavailable.
10 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Optional Steps
All steps below are optional. The rationale for their performance is provided.
Secure ConnectionsBy default, devices may connect using unsecured communications.With authenticationand TLS enabled, devices may optionally connect using securedmethods.
Secure connections are configurable using the command SECUREGATEWAYMODE. Thefollowing parameters are supported:
l DEFAULT: Accepts both secure and unsecureGateway CIP connections on allnetwork interfaces.
l SECUREONLY: Accepts only secureGateway CIP connections on all networkinterfaces.
l SECURENONCS: (Only valid for theCP3N, PRO3, AV3) Accepts secure and unsecureGateway CIP connections from devices on the control subnet, but only secureconnections are accepted on the LAN interface.
l SECUREEXT:o Accepts only secureGateway CIP connections from external IP
addresses (i.e. from different subnets than any of the connectednetworks).
o Accepts unsecure connections from IP addresses on the same subnetas the given network interface (i.e. LAN port allows unsecureconnections on the local LAN subnet, Control Subnet port allowsunsecure connections from its local subnet).
o Ensures that all mobile devices are properly configured to useTLS/SSL communications.
Web ServerCrestron Control Systems contain a built-in web server.When SSL/TLS is enabled, port 80will remain open but will only redirect to port 443. Theweb server will then prompt forauthentication credentials.
If theweb server is not being used, some customers may prefer to disable it entirely. Usethe following command to enable or disable theweb server:
WEBSERVER [ON | OFF]No parameter - displays current setting
Set Lock Out ConfigurationTo prevent brute force attacks, the system only allows a certain number of attemptsbefore locking out the source IP address. By default, three unsuccessful attempts from the
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 11
same IP address will block that address for 24 hours. Amore secure installation would notgrant automatic unlocks, which allow potential attackers to retry possible usernameandpassword combinations without the knowledge of the user or the administrator.
To configure lock out settings, enter the following commands:
PRO3>setloginattempts ?SETLOGINAttempts [number]number: number of logon attempts a user will have before the console is blocked, 0 isinfiniteNo parameter: display current setting
PRO3>setlockouttime ?SETLOCKOUTTIME [number]number: number of hours to block an IP address, 0 is indefinite, 255 maxNo parameter: display current setting
For USB transport, the action is blocked for five seconds after themaximum number oflog on attempts is reached. If the user retries after five seconds and continues to fail, theblock time is doubled. The block time continues to double until a successful log on attemptor until a control system reboot occurs. Once a user successfully authenticates against theconsole, the failure count is reset to zero. The block time resets to five seconds.
This setting can be altered in Crestron Toolbox software from theAuthentication Settingsdialog box.
Blocked IP Address Functions
When a user reaches themaximum number of logon attempts over an Ethernetconnection (CTP/SCTP/SSH), the client’s IP address is blocked. Administrators haveaccess to commands that allow them tomanage this behavior.
Change Lock Out time
To change the number of hours an IP address is blocked, enter the following command:
SETLOCKOUTTIME [number]number: number of hours to block an IP address, 0 is indefinite, 255 maxNo parameter: display current setting
List Blocked IP Address
To list blocked IP addresses, enter the following command:
LISTBLOCKEDipNo parameter: display current list of blocked IP addresses
12 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Add an IP Address to the Blocked List
To add an IP address to the blocked list, enter the following command:
ADDBLOCKEDip [ipaddress]ipaddress: IP address to blockNo parameter: display current list of blocked IP addresses
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 13
Remove an IP Address from theBlocked List
To remove an IP address from the blocked list, enter the following commands:
REMBLOCKEDip [ALL|ipaddress]ipaddress: IP address of the blocked connectionALL: remove all blocked IP addressesNo parameter: display current list of blocked IP addresses
Set Password RulesInstallations may have individual password rules that need to be applied. To apply thesepassword rules, enter the following commands:
SETPASSWORDRULE {-ALL | -NONE} | {-LENGTH:minPasswordLength} {-MIXED}{-DIGIT} {-SPECIAL}
l -ALL: all rules will be applied.
l -NONE: no rules will be applied.
l -LENGTH: specifies minimum password length. By default, theminimumlength is 6. This parameter can't be combinedwith NONE.
l -MIXED: passwordmust contain a lower and upper case character. Thisparameter can't be combinedwith NONE.
l -DIGIT: passwordmust contain a number. This parameter can't becombinedwith NONE.
l -SPECIAL: passwordmust contain a special character. This parameter can'tbe combinedwith NONE.
14 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Other Password Commands
Change Local User Password
When authentication is on, any logged-in user can change his or her password. The user isprompted to enter the old password once and the newpassword twice. If the old passworddoes not match the current password, this operation fails and the password is notchanged.
Local users changing their password should enter the following command:
UPDATEPASSWORDNo parameters needed
Reset Local User Password
When authentication is on, users with administrator rights can reset a user’s password. Todo so, enter the following command:
RESETPASSWORD -N:username -P:defaultpassword
l -N: specifies name of the user to be reset
l -P: specifies the default password
Authenticate Using Active Directory® Software
Add Local or Active Directory User to a Local Group
Local users are created on 3-Series Control Systems® without any access rights. By addingthem to a local group, they inherit the access level from the group. A 3-Series Control
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 15
System cannot create or remove a user from ActiveDirectory but it can grant access toan existing user in ActiveDirectory software. To grant access to an ActiveDirectory user,either add the user to a local group on the control system or add theActiveDirectorygroup(s) that the user is amember of to the control system.
When authentication is enabled, users with administrator rights can perform the followingcommand:
ADDUSERTOGROUP -N:username -G:groupname
l -N: specifies name of a local or domain user
l -G: specifies name of a local group
Remove Local or Active Directory User from a Local Group
When authentication is turned on, users with administrator rights can remove local orActiveDirectory users from a local group. After users are removed from a local group, theydo not have the access rights associatedwith the group. The user account is not deleted bythis command.
To remove a user, enter the following command:
REMOVEUSERFROMGROUP -N:username -G:groupname
l -N: specifies name of a local or domain user
l -G: specifies name of a local group
Add Active Directory Group
A 3-Series Control System cannot create or remove a group from ActiveDirectory, but itcan grant access to an existing group in ActiveDirectory.When authentication is enabled,users with administrator privileges can add an ActiveDirectory group to the controlsystem and assign access levels. Once the group is added, all members of the group haveaccess to the control system.
To add an existing ActiveDirectory group:
ADDDOMAINGROUP -N:groupname -L:accesslevel-N: specifies the domain group name (domain\group)-L: specifies one of the following access levels:A: - as an AdministratorP: - as a ProgrammerO: - as an OperatorU: - as a UserC: - for Connection only
Delete Active Directory Group
When authentication is enabled, users with administrator privileges can remove apreviously added ActiveDirectory group from the control system. The group is not deletedfrom ActiveDirectory. Once the group is removed from the control system, all members ofthat group lose access to the control system.
16 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
To remove an ActiveDirectory group:
DELETEDOMAINGROUP domaingroupnamedomaingroupname: name of the domain group (domain\groupname) to be deleted.
List Users
The following command allows users with administrator privileges to list all users (localand domain) added to local groups:
LISTUSERSNo parameters needed.
List Group Users
The following command allows administrators to see a list of all users in a specified group:
LISTGROUPUSERS groupname
List Local Groups
Users with administrator privileges can list all the local groups added to the controlsystem. A 3-Series Control System comes with the following built-in groups, which cannotbe deleted by any user: Administrators, Programmers, Operators, Users, andConnects.
To view a list of all local groups added to the control system, enter the following command:
LISTGROUPS [A] [P] [O] [U] [C]
l A: groups with administrator rights are listed
l P: groups with programmer rights are listed
l O: groups with operator rights are listed
l U: groups with user rights are listed
l C: groups with connection rights are listed
l No parameter: all groups are listed
List Active Directory Groups
Users with administrator privileges can list all the ActiveDirectory groups that were addedto the control system. To do so, use the following command:
LISTDOMAINGROUPS [A] [P] [O] [U] [C]A: groups with administrator rights are listedP: groups with programmer rights are listedO: groups with operator rights are listedU: groups with user rights are listedC: groups with connection rights are listedNo parameter: all groups are listed
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 17
Show User Information
Administrators can query the controller to show the access rights of a particular user. Todo so, use the following command:
USERINFOrmation username
Who Command Change
When Authentication is enabled, the administrators can see the currently logged-in users.This is in addition to what it currently lists. The list is filtered base on access level (loweraccess cannot see higher access).
To see the currently logged-in users, enter the following command:
WHO
18 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Install a CertificateWhen authentication is enabled, a self-signed certificate is created. A certificate from atrusted root authority might be needed in some installations.
To install a certificate, enter the following commands:
PRO3>certificate ?CERTIFicate Cmd Certificate_Store <Certificate_Name> <Certificate_UID><Password>
Where Cmd = [ADD|REM|LIST|VIEW]Where Certificate_Store = [ROOT|MACHINE|USER|INTERMEDIATE]ADD Certificate_Store - Add Certificate(from known location) ToSpedified Certificate Store (MACHINE store requires password)REM Certificate_Store Certificate_Name Certificate_UID - RemoveSpecified Certificate From Specified Certificate StoreLIST Certificate_Store - List All Certificates In SpecifiedCertificate StoreVIEW Certificate_Store Certificate_Name Certificate_UID - ViewDetails Of Specified Certificate In Specified Certificate StoreNo parameter - Lists Usage
Disable Crestron CloudCrestron’s devices reach out to the cloud for uptime information and other diagnosticinformation, which may be against a site policy.
To disable cloud services, enter the following command:
ENABLEFEATURE CLOUDCLIENT OFF
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 19
Set Idle Time OutAuser might forget to log out of a consolewindow using the LOGOFF command.
To set idle time out, enter the following command:
PRO3>setlogoffidletime ?SETLOGOFFIDLETIME [minutes]
minutes: Idleminutes passed before current user is logged off (limit seven days). Zeromeans user will not be logged off automatically.No parameter: display current transport setting
20 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Setup Audit LossA secure system requires monitoring access.
NOTE: The system cycles through space pre-allocated for audit logs. It is the siteresponsibility to ensure these logs are archived on a regular basis if a complete history isrequired.
The Audit Log(s) can be retrieved from sftp://AuditLog or via the SSH console commandbelow.
NOTE: Crestron recommends the following settings: AUDITLOG ON ALL
PRO3>auditlog ?AUDITLogging [ON|OFF] {[ALL]|[NONE]|{[ADMIN] [PROG] [OPER] [USER]}}
l ON: Enable Logging
l OFF: Disable Logging
l No parameter: Displays current setting
NOTE: Logons, logoffs, and account management are always logged
Optional, used to log commands by access level:
l ADMIN: Administrator
l PROG: Programmer
l OPER: Operator
l USER: User
l ALL: All Access Levels
l NONE: No Command Logging
Example: AUDITLOGGING ON ADMIN OPER'
PRO3>printauditlog ?PRINTAUDITLOG {[ALL]}
All: Print the entire audit logNo parameter: Print the last 50 entries from the log
PRO3>clearauditlog ?CLEARAUDITLOG
No parameter: Clears the audit log
PRO3>printauditlog[12/19/2014 1:44:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 1:49:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 1:54:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 21
USER: Console Symbol # RSLVHostname[12/19/2014 1:59:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:04:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:09:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:14:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:19:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:24:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:27:04 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # HELP[12/19/2014 2:27:41 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # WHO[12/19/2014 2:29:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:29:15 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #STOPTBCLIENT[12/19/2014 2:29:36 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # SNTP[12/19/2014 2:34:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:39:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:44:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:49:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:54:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 2:59:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:04:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:09:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:14:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:19:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:19:14 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #USERUNPat[12/19/2014 3:19:14 PM]: EVENT: LOGOFF (SHELL ) USER: admin123 # ConsoleSession Terminated[12/19/2014 3:24:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:27:17 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #VERsion[12/19/2014 3:27:17 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #
22 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
ISOLATENETworks[12/19/2014 3:27:17 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #USERPAT[12/19/2014 3:27:26 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #USERUNPat[12/19/2014 3:27:33 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # HELP[12/19/2014 3:27:43 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLOGINAttempts[12/19/2014 3:27:49 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLOGINAttempts[12/19/2014 3:27:57 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLOCKOUTTIME[12/19/2014 3:28:56 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETPAsswordrule[12/19/2014 3:29:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:34:05 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #CERTIFicate[12/19/2014 3:34:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:35:48 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #TELNETport[12/19/2014 3:35:51 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # SNTP[12/19/2014 3:35:54 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # SNTP[12/19/2014 3:38:01 PM]: EVENT: COMMAND (SHELL ) USER: admin123 # HELP[12/19/2014 3:38:38 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #SETLogoffidletime[12/19/2014 3:39:09 PM]: EVENT: COMMAND (DynTrans_SimplSharpPro.exe)USER: Console Symbol # RSLVHostname[12/19/2014 3:40:03 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #AUDITLogging[12/19/2014 3:40:10 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #PRINTAUDITLOG[12/19/2014 3:40:16 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #CLEARerr[12/19/2014 3:40:25 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #CLEARAUDITLOG[12/19/2014 3:40:32 PM]: EVENT: COMMAND (SHELL ) USER: admin123 #PRINTAUDITLOG--End of Log--
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 23
802.1x AuthenticationFor installations requiring 802.1x authentication:
NOTE: Familiarity with 802.1x is assumed by this document but for convenience theinstructions for Setting Up 802.1x on aWindows Server® Devicemay be found later inthis document.
8021XAUthenticate Enable/Disable 802.1x Authentication8021xAuthenticate [ON |OFF]ON: Enable 802.1x Supplicant AuthenticationOFF: Disable 802.1x Supplicant AuthenticationNo parameter: displays current setting
8021XDOMain Configure/View 802.1x Domain Name.8021xDomainName [Domain Name]DomainName: UpdateDomain Name to Domain SpecifiedNo parameter: displays current setting
24 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
8021XMEThodConfigure/ViewEAPMethod.8021xMethod [Password |Certificate |List]Password: 802.1x SupplicantWill Use Secured Password (EAPMSCHAP V2) EAPMethodCertificate: 802.1x SupplicantWill UseCertificate EAPMethodList: 802.1x SupplicantWill display the supported EAPMethodsNo parameter: displays current setting
8021XPASsword Configure 802.1x Password.8021xPassword [Password]{Password}: Update Password to OneSpecifiedNo parameter: Echo back command
8021XSENdpeapver Enable/Disable 802.1x PEAP version reporting.8021xSendPeapVer [ON |OFF]ON: enable 802.1x PEAP version number reportOFF: disable 802.1x PEAP version number reportNo parameter: displays current setting
8021XTRUStedcas Select/List 802.1x Trusted CACertificates.8021xTrustedCAs [LIST|USE|DONTUSE] <Certificate_Name Certificate_UID>)LIST: List All Trusted Root CertificatesUSE {Certificate Name and UID}: Add Specified Certificate To List Of CertificatesUsed To Validate The ServerDONTUSE {Certificate Name and UID}: Remove Specified Certificate From List OfCertificates Used To Validate The ServerNo parameter: Display this helpmessage
8021XUSERnameConfigure/View 802.1x User Name.8021xUsername Password <Name>Password: Displays current settingsPassword {Name}: UpdateUser NameTo NameSpecifiedNo parameter: Displays HelpMenu
8021XVALidateserver Require Validation Of 802.1x Authentication Server's Certificate.8021xValidateServer [ON |OFF]ON: 802.1x SupplicantWill Validate Authentication Server's CertificateOFF: 802.1x SupplicantWill Not Validate Authentication Server's CertificateNo parameter: displays current setting
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 25
26 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Security Protocols
NOTE: For management over SSH, a client capable of connecting over SSHv2 isrequired. The SSH client must be compliant with a FIPS 140-2 validated server.
Crestron products use one or more of the following FIPS validated libraries:
l OpenSSL FIPS Object Module v2.0 has FIPS 140-2 certificate #1747.
l OpenSSL FIPS Object Module v1.2.x has FIPS 140-2 certificate #1051.
l Windows® EmbeddedCompact Cryptographic Primitives Library (bcrypt.dll) hasFIPS 140-2 certificate #1989.
l Microsoft®Windows CE andWindows Mobile EnhancedCryptographic Provider6.00.1937 andMicrosoftWindows EmbeddedCompact EnhancedCryptographicProvider 7.00.1687 has FIPS 140-2 certificate #825.
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 27
More About User Groups
System architecturewill support multiple user groups (either locally or from ActiveDirectory® software). Any user can be amember of multiple groups. Both local and ActiveDirectory groups can be given access.
To give a group access:
1. Log into console/Telnet and have access to read-only system status/settingcommands.
2. Use customer web x-panel.
3. Use setupweb x-panel.
4. Log in to connect to CIP/Gateway connections (such as Fusion RoomView®software).
5. Use the appropriate command from the list below.
l Administrator commands are console commands that we rate asadministrator. This includes commands that have to do with user accountsand changing system settings.
l Programmer commands are console commands that we rate asprogrammer. This includes commands that have to do with loading programsand loading files.
l Operator commands are console commands that we rate as operator. Thisincludes commands that have to do with restarting programs, etc.
Out of the box, the device shall shipwith the following local user groups with associatedrights:
1 2 3 4 5 6 7
Crestron Admin Y Y Y Y Y Y Y
Crestron Programmer Y Y N Y N Y Y
Crestron Operator Y Y N Y N N Y
Crestron User N Y N N N N N
Crestron Connect N N N Y N N N
28 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
TSW Touch Screens
To harden a TSW-752, TSW-552, TSW-1052, please use the following commands.
l AUTHENTICATION ON
NOTE: If talking to a control system with AUTHENTICATION ON (in the controlsystem), supply user/password for the control system CIP connection viaSETCSAUTHENTICATION command.
l TELNETPORT OFF
l SSL NOVERIFY
l SIPENABLE OFF
l FTPSERVER OFF
l ENTERSETUPSEQ DISABLE
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 29
DigitalMedia™ Devices
Matrix Switches
NOTE: The following information applies to theDM-MD8x8, DM-MD16x16, andDM-MD32x32.
To useDigitalMediamatrix switches, please execute the following commands:
TELNETPORT OFFSSL SELFPASSWORD
NOTE: A rooted certificate can also be used.
SSL [OFF | SELF | CA]where OFF turns off SSL,where SELF sets SSL to use self-signed certificates,where CA sets SSL to useCA issued certificates,No parameter: displays current setting
Transmitter and Receiver DevicesTransmitter and receiver devices may be controlled over aDigitalMedia link. It is notnecessary to populate the LAN port. The following information applies to all DigitalMediadevices with a LAN courtesy port.
To disable a LAN courtesy port, please execute the following command:
PORTDISABLE EXTERNAL
30 • Crestron® Control Systems Security Reference Guide — Doc. 8563H
Enabling Remote Access
When enabling remote access to a system, always remap external ports from the defaults.Remapping external ports can cut down on the number of attempts to access the system.For example, a hacker cannot simply scan well-known ports for entry. Instead, they mustscan all ports to figure out what protocols are supported before even attempting to loginto the system.
Most home routers will allow setting a different external and internal port number. Below isan example of a common home router setup page:
NOTE: If XPanelWeb Browser is needed, port 843must be opened.
This page is intentionally left blank.
Security Reference Guide — Doc. 8563H Crestron® Control Systems • 31
Crestron Electronics, Inc.15 Volvo Drive, Rockleigh, NJ 07647Tel: 888.CRESTRONFax: 201.767.7656www.crestron.com
Security Reference Guide — Doc.8563H
04/23/20Specifications subject tochange without notice.