Best Practices For System Security

December 11, 2020

Over the years it's expected to see some customers have the unfortunate experience of having their Cablecast system affected by some sort of virus. However, a relatively recent form of attack has become more common and has a much greater impact to our community than just the inconvenience of running an antivirus or re-installing an operating system. This form of attack, commonly referred to as "Ransomware" (https://en.wikipedia.org/wiki/Ransomware), generally targets media files and encrypts them so they can not be used unless the victim pays a ransom. This has a great impact on Cablecast users as their media is an extremely valuable asset.

To help you protect your investment, we've put together the following KB articles broken up by priority. Please take the steps outlined below and don't hesitate to reach out to Cablecast Support if you have any questions or problems performing any of these steps.

Top Priority - Do These Now

Change Default FrontDoor and Windows Passwords

It's so important that you change both your FrontDoor password and Windows password from the defaults the system has shipped with. As these passwords are publicly available in our documentation, it doesn't take much googling to access a system if these steps aren't performed.

Changing The FrontDoor Password

Changing Windows Password

Make Sure Your Operating System Is Up To Date By Performing Windows Updates

Windows updates can be annoying, but Microsoft is great about getting security updates out fast. Having an updated operating system significantly reduces your risk of being affected by an attack.

Make Sure Windows Firewall Is Enabled

Proper firewall configuration makes it harder for attackers to find weak spots in your system. The Cablecast installer enables exceptions for critical cablecast applications and standard http web ports. Pretty much all other ports should be closed as they are not necessary to have open.

Uninstall VNC (should only apply to legacy systems)

Older systems may have VNC software (Virtual Network Computing) installed. This was used by our support team to access systems during technical incidents. However, this tool is no longer used and if not kept up to date presents an unnecessary security risk.

  1. Access the Windows desktop
  2. Go to Programs and Features
  3. Uninstall VNC. Note there were a few different varieties of VNC used. The two most common were RealVNC and TightVNC.

Update to new Cablecast Support Tool

The new Cablecast support tool replaces the older Tightrope support tool and removes the use of any saved passwords making it more secure.

Next Up - Best Practices

Once you've completed the above steps your in a good spot, but there is still more that can be done to prevent issues.

Improve Password Habits

Now that you've changed the default password (you did didn't you?), let us dive into passwords a bit more. It's good practice to rotate your password periodically so that if it is compromised the effect is limited in time. Remembering passwords is hard, and especially if that password is long or complicated like a good password should be. That is where a password manager like 1Password (https://1password.com/) can be a great asset. Finally, now that you have your strong passwords stored in a password manager, it will be easy to use different passwords for different logins.

Restrict Access To Network Shares

It's common on Cablecast system to use network shares to move content on and off the video servers. It's all too common for us to see content shares with very loose, or even worse no, security restrictions so that it is easy to access content shares from any system on your network. Unfortunately this makes it very easy for any infected system on your network to modify your media files, including ransomware. To minimize these risks, take the following steps:

  • Make a separate user on each video server for the content share.
    • Ensure that Guest / Everyone access is disabled.
  • Don't used persisted Mapped Network Drives. It is more secure if a user must enter a username / password each time they want to access the content share.

A Word On Anti Virus Software

The Cablecast team does not have the resources to extensively test all major antivirus software, but we do recommend having some sort of antivirus software installed and kept up to date. Anecdotally we've had good luck with Windows Defender that comes with all new systems. However there are a few common settings that need to be adjusted. Your cablecast appliances aren't typical work stations where the overhead of scanning a file as it's opened is a mere inconvenience. All Cablecast products are designed to have enough headroom to do required background tasks, but performance intensive tasks can affect the real time nature of your products. For this reason we recommend the following steps.

For a full list of all Cablecast services and programs to include to your allow list within AV software, see our Knowledge Base Article on Anti Virus programs

  • Disable realtime or "active" protection that scans files as they are being opened. This can interfere with Digital File indexing and Video play-out.
  • Add exceptions for the following Cablecast software
    • C:\TRMS\Control Modules\SxHwControl64.exe
    • C:\TRMS\Control Modules\VS\Cablecast_Video_Server.exe
    • C:\TRMS\Services\Cablecast\TRMS.Services.Cablecast.exe
    • C:\TRMS\Services\Nginx\nginx.exe
    • C:\TRMS\Services\Nginx\CCNGINXservice.exe
  • Limit scanning of media files to times where usage is minimal. For example exclude the content directory of your server, but periodically do a manual scan.