IR WIKI

Integriti CyberSecurity Hardening

7 min read

Integriti CyberSecurity Hardening Guide

Overview

This guide highlights several ways to harden your Integriti installation against current cyber security threats. No system is perfectly secure, but following these suggestions can help make your system significantly harder to penetrate. Security is often a trade-off with convenience.

Key risk areas covered:

  • Protection of sensitive data and data breaches
  • Ensuring functional uptime (DOS attack mitigation)
  • Unauthorised access to security system information or control of security assets

The Integriti system’s security is largely dependent on the security of the network it is connected to. The services of a network professional should be considered.

Prerequisites

  • Administrator access to Integriti System Designer
  • Access to the Integriti Server(s) and SQL Server
  • Understanding of your organisation’s security policies
  • Familiarity with the Integriti System Configuration and communication handlers

Step-by-Step

1. Basics — Passwords, Operators, and Updates

Passwords & PINs:

  1. Change the default password for the “Installer” Operator
  2. Remove or change the default PIN for Installer and MASTER users
  3. Increase the minimum length of PINs (via Security Policies in System Settings)
  4. Do not use security PINs for high-security areas

Operators: 5. Ensure ALL operators have Operator Types assigned (operators without a type have NO restrictions) 6. Ensure ALL operators are linked to a User (unlinked operators can perform any action as “the system”) 7. Ensure every person has their own operator — do not share logins 8. Apply the Principle of Least Privilege — use Operator Types to give each account only the permissions it needs 9. For administrators: consider a second admin account for occasional high-level tasks, so your daily account is less privileged

Software / Firmware Updates: 10. Keep Integriti Software updated to the latest version 11. Keep controller/module firmware updated to the latest version 12. Regularly apply platform updates and security patches to Windows servers 13. Run Antivirus/Antimalware software on client workstations

Integriti Hardware: 14. Disable unused features: SkyTunnel, Web Interface (if not needed) 15. Ensure hardware is installed in accordance with all applicable standards and installation manuals 16. Ensure all LAN Comms inputs are appropriately monitored in the system area 17. Ensure the RS485 LAN is “locked” and “secured” (via keypad or controller right-click context menu)

2. Access to Infrastructure

Physical and Logical Access:

  1. Restrict physical access to Integriti server computers
  2. Restrict remote desktop/logical access to server infrastructure
  3. Most actions should be performed from an Integriti Client Workstation, not the server directly

SQL Database Server: 4. Only Inner Range server node processes should have ongoing database access 5. Temporary access is required by the Database Configuration Tool during setup/upgrades 6. Database backups must be secured (network locations, physical off-site media, encrypted backups) 7. Secure backup encryption keys while protecting against accidental loss

Service Accounts: 8. Run each Integriti service under a dedicated account with only the exact permissions required:

  • Application Server
  • Controller Server
  • 32-bit and 64-bit Integration Server

Client Workstations: 9. Reserve client seats for specific workstations to prevent “rogue clients” from attempting unauthorized access

3. Securing SQL Server

Co-Located SQL Server (default Express Edition on the same machine):

  1. Disable remote connections
  2. Follow “Access to Infrastructure” guidelines above

Remote SQL Server: 3. Consider employing a DBA to configure and manage the database 4. Use Windows Authentication (not SQL Server Authentication) 5. Enable Transparent Data Encryption (TDE) to protect data at rest 6. Enable and use TLS for connections to the database 7. Configure clients to validate the SQL Server’s certificate

4. System Settings

Authentication Mode:

  1. Navigate to System Settings
  2. By default, “Mixed Mode” allows both Windows authentication and built-in authentication
  3. Recommendation: Disable authentication models you are not using

Evidence Vault: 4. If configured, ensure only the Service Accounts can read/write to this location

Server Lockout: 5. Recommendation: Disabled — unless a compliance standard requires it. Server lockout can mitigate distributed password-guessing but also provides an avenue for a DOS attack. Enable only if system integrity is far more important than system operation.

Operator Lockout: 6. Recommendation: Enabled — 5 attempts for 5 minutes. Prevents brute-force attacks on individual operator accounts.

Default Security Policy: 7. Navigate to System Settings > Security Policies 8. Create and apply a Default Security Policy to enforce password policy on built-in accounts

5. Communication Handlers

All communication handlers should be considered attack vectors.

REST/XML Web Service:

  1. Enable “Use Security”
  2. Choose HTTPS as the “Security Type”
  3. Specify a dedicated Operator account (unless multiple operators are required)
  4. Use the Firewall to restrict access to the specified port
  5. See Appendix: Securing Web Services and Installing & Binding Certificates

Web Interface: 6. Enable “Use HTTPS” 7. Install and bind a valid SSL/TLS certificate 8. Use the Firewall to restrict access to the specified port

Email Sender: 9. Enable “Use SSL” 10. Enable “Require Login” 11. Use the Firewall to restrict access on the Email Server side to the specific IP address of the Integriti Server

6. Integriti Mobile

Direct to Controller:

  1. Controller supports HTTP with digest authentication only — requires an additional layer of end-to-end encryption (e.g., VPN)
  2. Secured by username and user PIN — choose a strong PIN (at least 6 random digits)
  3. Only assign Remote Access menu group permissions to users with strong PINs

Controller Via SkyTunnel: 4. Uses HTTPS + AES-based encryption 5. Secured by username and user PIN — choose a strong PIN (at least 6 random digits) 6. Only assign Remote Access permissions to users with strong PINs

Via Smartphone Interface Comms Task: 7. Secured using operator usernames/passwords (operators use linked Users for control permissions) 8. Security Options:

  • Basic: HTTP with BASIC authentication (unencrypted) — use only with VPN
  • HTTPS: See “Securing Web Services” in Appendix

7. Networking

Network security works by combining multiple layers of defence (defence in depth).

Firewalls:

  1. Configure both software and hardware firewalls to allow only authorised traffic

Network Segmentation: 2. Integriti is a 3-tier application suite — place SQL database and security field hardware on separate networks from client workstations, with only the Integriti Server requiring access to both

VPN: 3. Run Integriti proprietary protocols over a VPN for an additional layer of protection — this is best practice even with Integriti’s state-of-the-art encryption

OSI Stack Considerations: 4. Application Layer: Follow this guide and educate operators to avoid phishing/human attacks 5. Presentation Layer: Secure client workstations with up-to-date security patches 6. Session Layer: Integriti uses hardened proprietary protocols with secure session management and replay attack protection 7. Transport Layer: Standard TCP-based protocols for compatibility with modern network infrastructure 8. Network/Data Link/Physical Layers: Use redundant network links for high availability

8. Appendix — Securing Web Services

Security Protocols:

  1. Ensure operating systems have all current security patches
  2. Configure Windows to enable only secure protocols (i.e., TLS 1.2) — tools like NARTAC IIS Crypto can help
  3. For maximum security, do not expose web services directly to the internet; use a VPN between the Integriti Application Server and the integrated system
  4. If VPN is not feasible, use firewalls to restrict inbound traffic to known IP addresses of allowed clients

Installing & Binding Certificates: 5. Obtain an SSL/TLS certificate (self-signed or purchased from a Certificate Authority) 6. Purchased certificates require a registered Domain Name 7. Install the certificate in the Integriti Server’s Certificate Store 8. Bind it to the configured port from the command line:

netsh http add sslcert ipport=0.0.0.0:443 certhash=<thumbprint> appid={00112233-4455-6677-8899-AABBCCDDEEFF}

Note: The port and certhash must match your certificate and configuration; the appid can remain as shown.

Verification

  • Verify that the Installer operator password has been changed from default
  • Confirm all operators have Operator Types and linked Users
  • Check that Operator Lockout is enabled (5 attempts / 5 minutes)
  • Verify HTTPS is enabled on all web-facing communication handlers
  • Confirm firewalls restrict access to communication handler ports
  • Validate that SQL Server uses Windows Authentication and TLS
  • Test that backups are encrypted and stored securely

Troubleshooting

IssueSolution
Cannot connect after enabling HTTPSVerify certificate is installed in the server’s Certificate Store and bound to the correct port using netsh http show sslcert
Operators locked out after policy changeCheck Operator Lockout settings; temporarily disable or wait for lockout period to expire
Services won’t start under service accountsVerify the service account has required permissions; check Windows Event Log for details
Database connection fails with TLSEnsure SQL Server is configured for TLS and the certificate is trusted on the client

Graph View

Backlinks