[KBA-78996] Configuring user accounts for RTSP clients to access the Media Gateway role - Security Center 5.5 - 5.7 SR5

series
Security Center 5.5 - 5.7 SR5
revised_modified
2019-07-10

[KBA-78996] Configuring user accounts for RTSP clients to access the Media Gateway role

This article explains how to configure secure user accounts for RTSP client applications to access the video data from your Security Center system through the Media Gateway role.

Applies to: Security Center 5.5 - 5.7 SR5

Summary

Third-party client applications wanting to receive video data from your system must go through to the Media Gateway role using the RTSP protocol. To connect to the Media Gateway role, the RTSP client applications must use a Security Center user account with a password specifically created for this purpose.

In Security Center 5.6 and later, the Media Gateway role is automatically created when you create the Web Client Server role. You can also create this role manually if you are not using Web Client. Upon creation, the Admin user is assigned by default to the Media Gateway role with no password. This article explains how you can harden your system by creating strong passwords for the user accounts associated to the Media Gateway role.

More information

The RTSP client application must use a separate password to log on to your system. The rationale behind this design is that the Media Gateway is the RTSP interface of Security Center with the outside world. Most client applications interfacing with the Media Gateway role do not support the secure version of RTSP (RTSPS). Therefore, the traditional RTSP protocol transiting in plaintext must be supported.

To minimize the risk of attack, the passwords you assign to the RTSP user accounts are only used to connect to the Media Gateway role and do not affect the user connections to Security Center. This means that an attacker who steals the Media Gateway password cannot use it to log on to the system through Config Tool and change your system settings.

For a Security Center user account to be used by an RTSP client application, the account must be added to the Accessible to list of the Media Gateway role and given a distinct password. The privileges and access rights (partitions) granted to that user account determine what cameras the RTSP client application can access on your system.

To harden your system, you must either assign a strong password for the default user, or better, replace the default user with a dedicated user created for RTSP client applications.

To assign a strong password to the default user:

  1. In Config Tool, open the Video task, and click Media Gateway > Properties.
  2. Select the default user (Admin) assigned to the Media Gateway role and click Change password ().
  3. In the New password dialog box that appears, enter a strong password, and then click OK > Apply.

    A strong password must be long, unique, and random. The password strength meter should indicate a score of 4 or 5.

To replace the default user with a dedicated user:

  1. Create a user with the privileges and access rights you want to grant to the RTSP client application.

    We do not recommend using the Admin account for RTSP requests because it has unrestricted access to your system. For more information on creating users, see Creating users.

  2. Open the Video task, and click Media Gateway > Properties.
  3. Click Add an item (), select the user you created and click Add.
  4. In the New password dialog box that appears, enter a strong password, and click OK.
  5. Select the default user (Admin) assigned to the Media Gateway role, click Remove the item (), and then click Apply.
  6. Add more dedicated users to the Accessible to list if necessary.

Status

These hardening procedures are no longer required as of Security Center 5.7 SR6 and 5.8 GA.