At a bare minimum make sure you are on whatever the latest service pack of Windows XP.
If you have the capabilities, you could disable incoming traffic on any ports that aren't specifically being used for the VMS software. Anti-virus is another option, but doesn't necessarily stop the server from being hacked. Ultimately there is no way to make an OS hack-proof, and unfortunately they are running one of the hardest to even get in the ballpark at this point.
How much more secure would / could Windows 7 be than XP? What's the cost to upgrade?
IPVMU Certified | 05/15/13 03:43pm
If you've implremented a firewall, password protection, an antivirus maybe and maybe even gone as far as disabling File and Print services from the network adapter, and maybe even diabling the Server service in services.msc, you've done really all you can do from an outside in perspective. And really, that's a lot and I think more than enough.
The greatest vulnerability to a computer is how it's used and the caution of the person using it. This is supposed to be a VMS server. Not someone's workstation. They're not supposed to do web browsing that doesn't have anything to do with the function of the surveillance on it. They're not supposed to be using it for email.
There's always something more you can do; for dollar cost on top of dollar cost. If you've done what you said, along with what I suggested, I think that's plenty.
Keep in mind that the support for Windows XP ends on the 8th of april 2014.
After that it won't be getting any more security updates.
Single biggest thing I'd recommend, if there isn't one already, would be to add a router between the DVR and the Internet - even a basic cheap consumer unit will provide a level of physical security and give the unit an IP that's not directly accessible. Forward only the necessary ports to it, and make sure all the others are closed on the router's firewall.
BTW, with an older machine like this, upgrading to Windows 7 is probably not an option anyway: besides driver support for the PC itself, there has to be driver support for the DVR card.
Sadly, my customer CCTV system got hacked or maybe got DDOS attack...yet again, the whole VMS is down. So, I would like post this question to everyone, has anyone implement VPN solution for remote viewing, is it possible? Can my customer use a VPN windows client and log into his private network at his office to do remote viewing and playback using Internet Explorer?
Yes, I think most corporate systems use VPNs rather than port forwarding. Port forwarding is more for consumer applications where they do not have a VPN or don't know what is, etc.
The problem is most corporations can afford to have their own fix IP addresses. While the small business enterprise uses dynamic IP addresses as a cheaper solution. While having dynamic IP address is not a great hassle since Dynamic DNS service is available freely, however, in respect of security, in my opinion, having DDNS windows client installed in Windows CCTV system and do updates every hour or every few hours, may invite hacker to pry /snoop on the hourly update traffic to find out the current dynamic IP address. Once the hacker get hold the IP address, then the whole CCTV system is vulnerable to cyber attack. Can someone confirm am I right? Thanks
There are a number of ways to implement VPN. I've found a router flashed with DD-WRT firmware works well - it includes both VPN host and client components, so you can have one at each end, and have them automatically connect on startup to create a tunnel between the two networks. That said, VPN may not always be ideal for remote viewing, because it DOES add a fair bit of overhead.
DDNS is certainly no less secure than a static IP - if anything, you're safer, BECAUSE the IP is (potentially) changing periodically, rather than always being the same. That being said, not all dynamic-IP systems change randomly: with my cable ISP, for example, I'm technically on a dynamic system, but my IP hasn't changed in years... well, since the last time I swapped my router, anyway, since in a standard DHCP setup, IPs are tied to the requestor's MAC address. I can force a change of my IP by simply changing my router's WAN MAC address, but for the most part, it stays stable.
A static IP is not necessarily that much more expensive, either, depending on the type of service. For our residential service here, I can get it for an extra $10/mo. I believe business customers of both our DSL and cable providers can get it for an extra $30/mo. Of course, if you're on a high-traffic corporate service of some sort, that'll probably cost a lot more, but at that point you're probably paying a bundle for the service in the first place.
As for your customer's system going down: do you KNOW it was a hack or DDOS attack? Or could it have simply been some internal problem?