The following is a list of 9 recommendations for securing your Immix server, especially for customers who provide access to the system on the Internet. If you have any questions about these recommendations please contact our support team for advice.
1. Protect your Immix server on the Internet by enabling SSL
For customers who have exposed their Immix server on the web the most important step to do is to enable SSL (Secure Sockets Layer). SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server (Immix server) and browsers remain private and integral.
If you are using a xxxx.sureviewsystems.net address you can make use of the SureView SSL Certificate. If you are using your own domain you will need to purchase an SSL certificate from your Domain Provider (e.g. GoDaddy.com, 123-reg.co.uk etc)
The certificate must be a .pfx file for use with Microsoft IIS and either be for your domain (*.mydomain.com) covering all hosts, or for the particular hostname of your Immix server (immix.mydomain.com). If you choose the single hostname then this must match the URL that your clients use to access your Immix server exactly.
Once you have a certificate please contact the sureview support team who can schedule the SSL upgrade with you. Note: There is a small ProServices charge for this service.
2. Make sure your Microsoft Server software is up to date
Microsoft routinely published security updates for their operating systems and software. It’s important that you update these systems on your Immix server in line with these notifications so that any vulnerabilities are closed. The primary components of Immix that require updates on the Immix server are Microsoft Server, Microsoft SQL Server. On users workstations it’s your browser and Adobe Flash player. The easiest way to manage critical security updates is to run Windows updates. On user workstations be sure to turn on automatic updates for your browser of choice and Adobe Flash. Alternatively you can access information about these security updates at the links below:
Microsoft Server and SQL Security Bulletins
3. Make sure your Immix Software is up to date
SureView regularly updates the Immix Core Software and Integrations, it is important that you keep up-to-date with the latest releases.
For details on the latest Core releases please check the support pages here
If you need a core update please contact the SureView Support Team
To ensure that your integrations are kept up to date you can make use of the built in “Systems Update” feature. Please read the support page below for more details:
4. Close any server vulnerabilities
There are a number of server settings and configurations that Microsoft’s recommends on the their web server IIs to ensure it’s secure. The simplest way to implement all of these settings is to run the Nartac Tool https://www.nartac.com/Products/IISCrypto . This tool will configure your IIs server to these recommendations and ensures your system meets PCI, PCI 3.1 and FIPS 140-2 configurations. After running this utility you can confirm these configuration by entering your Immix server address into https://www.ssllabs.com/
5. Close all vulnerable ports
Open network ports provide easy access to key components of your server. The only ports that you should open on your Immix server are listed on the Immix Server Ports support page
http://support.sureviewsystems.com/hc/en-us/articles/202716728-Server-Ports or as required by the specific integrations/tools that you are using.
6. Review user access to the Immix Server
We recommend that all user access to your Immix server is administered via a Domain. Administration privileges should be restricted to a small number of IT administrators in your team. Authentication to your SQL database should be done using “Windows Authentication” and NOT using simple SQL authentication. Additional a dedicated, secure windows admin account should be used for all windows service accounts.
Regularly check both Domain and Local Windows users to ensure any account is valid.
7. Review Windows Administrator Passwords to the Immix Servers
It’s critical that any administrator level windows login to the Immix Servers (and any other windows machine) have been configured with complex passwords. They should includes numbers, upper and lower case letters and symbols. They must never use a variation on the word “password” (e.g. Pa$$word). IMPORTANT: Before making a change to an Administrator level server password please contact our support team to ensure the change won’t impact Immix
8. Encrypt database backups
If you are storing or transporting your Immix database to another storage device other than your primary database server we recommend you encrypt these files then these backup files must fully encrypted. When using SQL Server 2014 or higher the encryption level can be specified under the “Backup Options”.
When using an older SQL Server (or a .bak file has already been taken and has not already been encrypted) you can also use 7zip to both compress and encrypt the .bak file.
9. Review Immix User Permissions
Customers should routinely review any Immix User permissions, ensuring that users are only given the minimum permissions that are needed for their specific job role. Any users who no longer work for the company (or whose roles have changed) should have their access revoked immediately.
Customers should also ensure the appropriate level of security settings are being used for your security center (Systems Tab -> System Settings -> Security).
|Number of hours for incorrect answer user lockout||Length of time, in hours, that a user will be locked out of the system after making too many incorrect password attempts.|
|Number of user password reset attempts||The number of incorrect login attempts a user can make before being locked out.|
|The minimum required length of a username||Enforces new users to have usernames of at least the length specified.|
|Number of seconds before a user becomes inactive||Number of seconds before a user is deemed to be inactive. This means if a user attempts to leave the alarms area when there are no other ‘Active’ users a dialog will be shown stating they are the last user watching the alarm queue.|
|Disable password complexity requirement for new users||Allow new users to be created with uncomplicated passwords.|
|Allow the use of an email address for login||Allow users to use their email addresses when logging in.|