This guideline is intended to provide the campus technical community with points of interest regarding the security of room automation devices or Crestron products installed on campus. This guideline interprets the applicable standards and policies set in the Multifunction Device Hardening Checklist and the Information Resources Use and Security Policy.
This guideline specifies room automation devices such as Crestron, but can be applicable to a wide variety of IoT (Internet of Things) devices.
Room automation devices support a multitude of features depending on device and application. This guideline does not attempt to cover all varieties of devices and applications, only to provide high level guidance. It is understood that every topic in this guideline will not be applicable to every possible device.
Table of Contents
- Physical Access Security
- Limit Advertised Services
- Network Placement
- Firewall and/or Access Control
- 3rd Party Installation
Physical Access Security
- If possible protect any touch panels with password or PIN.
- Do not store the password in a visible location (example: on a note next to the panel).
- If the touch device supports user roles (admin or service account), it is permissible to only password protect this role.
- Devices such as audio processing controllers or other devices fitting this form-factor should be locked in a cabinet with the keys stored securely when not in use.
- Protect Serial, USB, or other direct console ports to these devices.
- Rooms containing sensitive automation equipment should be locked after hours.
Limit Advertised Services
- Disable unencrypted or weak remote access protocols:
- Disable FTP
- Disable Telnet
- Disable rlogin
- If any of these are required for operation, proceed to the <Network Placement> and <Firewall and/or Access Control> sections for guidance.
- If the department is not intending on using the web interface, disable it if possible.
- These devices should be placed on private address space.
- If the devices are on non-routable networks and access to an external service is required a proxy may be used to facilitate access.
Firewall and/or Access Control
- These devices should be segmented from the campus network.
- A firewall is an acceptable mitigation if the devices require Telnet or other weak protocols for operation.
- The firewall should be configured to limit access to the device over these protocols only to authorized personnel and other endpoints as required.
- If a device has a web application that cannot be secured with a password or disabled entirely, a firewall should be in place to strictly limit or block access.
- If the device itself supports access control lists these should be used to limit access to authorized personnel.
3rd Party Installation
- If a vendor was used to install and configure these devices make them aware of this guideline or review and correct the installation where needed.