Protect Windows XP PRO CCTV System Being Hacked?

Hi Guys,

I have been searching for advice on how to protect an old CCTV system using Windows XP Pro SP3 platform (yes, I know it is old, but my customer cannot afford to upgrade it to Windows 7) from being hacked in. Since the CCTV VMS software comes with built-in web server.

The system is publicly access on the Internet using DDNS service. I looked into Google and found some information.

I read the information given on this link above and follow the steps as much as I can. So, apart from installing anti virus and firewall software on the system, is there anyting else that I can do to make the system hack-proof? May be or at least to be as secure as possible.

Most appreciated. Thank you.

Marcus


At a bare minimum make sure you are on whatever the latest service pack of Windows XP.

If you have the capabilities, you could disable incoming traffic on any ports that aren't specifically being used for the VMS software. Anti-virus is another option, but doesn't necessarily stop the server from being hacked. Ultimately there is no way to make an OS hack-proof, and unfortunately they are running one of the hardest to even get in the ballpark at this point.

At a bare minimum make sure you are on whatever the latest service pack of Windows XP.

If you have the capabilities, you could disable incoming traffic on any ports that aren't specifically being used for the VMS software. Anti-virus is another option, but doesn't necessarily stop the server from being hacked. Ultimately there is no way to make an OS hack-proof, and unfortunately they are running one of the hardest to even get in the ballpark at this point.

Thanks for the advice, I have installed a software firewall and blocked incoming ports, except those ports used by the VMS.

How much more secure would / could Windows 7 be than XP? What's the cost to upgrade?

How much more secure would / could Windows 7 be than XP? What's the cost to upgrade?

Yes, the cost of upgrade may sound trivial but in terms of currency conversion, it cost a few hundred dollars to better off getting a new OS and plus a few hundred dollars on labour charge, which my client thinks that he can save it for buying another IP camera. So at the end, my client decided not to upgrade, besides, the PC is solely there to do 24/7 surveillance operation, it is not being used for other staff for web browsing and checking emails.

If you've implremented a firewall, password protection, an antivirus maybe and maybe even gone as far as disabling File and Print services from the network adapter, and maybe even diabling the Server service in services.msc, you've done really all you can do from an outside in perspective. And really, that's a lot and I think more than enough.

The greatest vulnerability to a computer is how it's used and the caution of the person using it. This is supposed to be a VMS server. Not someone's workstation. They're not supposed to do web browsing that doesn't have anything to do with the function of the surveillance on it. They're not supposed to be using it for email.

There's always something more you can do; for dollar cost on top of dollar cost. If you've done what you said, along with what I suggested, I think that's plenty.

If you've implemented a firewall, password protection, an antivirus maybe and maybe even gone as far as disabling File and Print services from the network adapter, and maybe even disabling the Server service in services.msc, you've done really all you can do from an outside in perspective. And really, that's a lot and I think more than enough.

The greatest vulnerability to a computer is how it's used and the caution of the person using it. This is supposed to be a VMS server. Not someone's workstation. They're not supposed to do web browsing that doesn't have anything to do with the function of the surveillance on it. They're not supposed to be using it for email.

There's always something more you can do; for dollar cost on top of dollar cost. If you've done what you said, along with what I suggested, I think that's plenty.

Ok thanks for the advice, I think I cover most of things that require to secure the windows XP CCTV system. By the way, the CCTV system is not being used in any way by the staff. I posted this question, because I am looking someone may come up something extraordinary new methods in advising how to protect the system even further.

Keep in mind that the support for Windows XP ends on the 8th of april 2014.

After that it won't be getting any more security updates.

Ok, Thank you for the reminder, Rogier.

Hopefully before this day, my customer should have upgrade to Windows 7.

Single biggest thing I'd recommend, if there isn't one already, would be to add a router between the DVR and the Internet - even a basic cheap consumer unit will provide a level of physical security and give the unit an IP that's not directly accessible. Forward only the necessary ports to it, and make sure all the others are closed on the router's firewall.

BTW, with an older machine like this, upgrading to Windows 7 is probably not an option anyway: besides driver support for the PC itself, there has to be driver support for the DVR card.

Hi Matt,

Yes, what you said earlier is exactly what I had implemented from day 1. Customer PC is behind a cheap dlink router. Ports are open for remote reviewing and playback, and nothing else. Actually in the port forwarding part, I configured the router to redirect it to another port on the Windows CCTV system. Ex. meaning 8080---redirect to----8001. On another matter, the CCTV system is not using any DVR card at all. The system is purely a NVR system.

Sadly, my customer CCTV system got hacked or maybe got DDOS attack...yet again, the whole VMS is down. So, I would like post this question to everyone, has anyone implement VPN solution for remote viewing, is it possible? Can my customer use a VPN windows client and log into his private network at his office to do remote viewing and playback using Internet Explorer?

Yes, I think most corporate systems use VPNs rather than port forwarding. Port forwarding is more for consumer applications where they do not have a VPN or don't know what is, etc.

The problem is most corporations can afford to have their own fix IP addresses. While the small business enterprise uses dynamic IP addresses as a cheaper solution. While having dynamic IP address is not a great hassle since Dynamic DNS service is available freely, however, in respect of security, in my opinion, having DDNS windows client installed in Windows CCTV system and do updates every hour or every few hours, may invite hacker to pry /snoop on the hourly update traffic to find out the current dynamic IP address. Once the hacker get hold the IP address, then the whole CCTV system is vulnerable to cyber attack. Can someone confirm am I right? Thanks

There are a number of ways to implement VPN. I've found a router flashed with DD-WRT firmware works well - it includes both VPN host and client components, so you can have one at each end, and have them automatically connect on startup to create a tunnel between the two networks. That said, VPN may not always be ideal for remote viewing, because it DOES add a fair bit of overhead.

DDNS is certainly no less secure than a static IP - if anything, you're safer, BECAUSE the IP is (potentially) changing periodically, rather than always being the same. That being said, not all dynamic-IP systems change randomly: with my cable ISP, for example, I'm technically on a dynamic system, but my IP hasn't changed in years... well, since the last time I swapped my router, anyway, since in a standard DHCP setup, IPs are tied to the requestor's MAC address. I can force a change of my IP by simply changing my router's WAN MAC address, but for the most part, it stays stable.

A static IP is not necessarily that much more expensive, either, depending on the type of service. For our residential service here, I can get it for an extra $10/mo. I believe business customers of both our DSL and cable providers can get it for an extra $30/mo. Of course, if you're on a high-traffic corporate service of some sort, that'll probably cost a lot more, but at that point you're probably paying a bundle for the service in the first place.

As for your customer's system going down: do you KNOW it was a hack or DDOS attack? Or could it have simply been some internal problem?