Security Controls for CCTV and Access Control Networks

Your organization probably spent a significant amount of money on cameras, access control, and monitoring systems to protect people and assets. There is a good chance the network those systems run on is one of the least secure networks you have.

Over the past 15 years, I have worked on thousands of CCTV and access control networks across government, law enforcement, healthcare, transportation, and enterprise environments. The common trait across all of them? These networks are consistently under-secured. The systems we invest in to protect physical assets are often the most exposed to digital threats.

This is not a failure of intent. It happens for predictable reasons.

Security integrators specialize in cameras, panels, and software. Many are excellent at what they do. But they are often not equipped to design or secure the underlying network infrastructure. IT and cybersecurity are not their core competency, and the industry has been slow to close that gap.

Clients also play a role. There is often reluctance to invest in firewalls, VPN services, or proper segmentation because it adds cost and perceived complexity. Many organizations want their systems to work without involving IT, and that preference for convenience creates exposure.

Open management interfaces, exposed remote access ports, default credentials, flat networks with no segmentation. These are still common. They should not be.

The good news is that most of this risk can be reduced without massive investment. The controls below are practical, implementable on existing infrastructure, and applicable across any physical security platform.

Harden Servers and Network Devices

Every camera, server, switch, panel, and controller should be hardened before going into production. Most quality manufacturers publish hardening guides for their platforms. Genetec, Milestone, Axis, Bosch, and others all provide documentation on how to reduce the attack surface of their products. Follow those guides. If your integrator is not applying them, ask why.

Hardening includes disabling unnecessary services, restricting management access to specific IP ranges, applying proper authentication, removing default configurations, and changing all default credentials. These steps take time during deployment. They prevent problems later that take significantly more time to resolve.

For network devices specifically: disable Telnet, enable SSHv2, restrict SNMP to read-only if SNMP is required at all, disable CDP/LLDP on access ports, configure console and VTY timeouts, and require authentication for all management access. These are baseline items. They belong in your standard switch configuration template, not as an afterthought.

For servers running VMS or access control software: apply OS hardening as covered separately in the Windows Server hardening series on this site. Disable unnecessary services, remove unneeded features, configure the Windows Firewall, and apply patching on a defined schedule.

Use Firewalls and VPNs for Remote Access

Security networks should be isolated from corporate networks and from the internet. Firewalls and gateway technologies provide that separation.

Remote access should go through a VPN. Not an exposed RDP session on port 3389. Not a camera with a port forward that lets the integration vendor connect to it directly from the internet. A VPN with MFA, where the session is authenticated and logged, and where the vendor’s access is scoped to what they actually need.

Limit internet access from the security network to a whitelist methodology. Only systems that explicitly require outbound connectivity should have it. For update management, deploy a central WSUS or update server with controlled internet access rather than giving every device direct outbound access. Your cameras and access control panels do not need to reach arbitrary internet destinations. Control what communicates externally.

Port forwards to cameras and VMS servers are one of the most common gaps I see documented in security audits. Every open port is an attack surface. Camera firmware vulnerabilities are real and discovered regularly. Vendors push firmware updates precisely because these vulnerabilities get found and exploited. If you have deployments with cameras or VMS servers exposed directly via port forwarding, it is worth having that conversation with the client and documenting the risk in writing if they choose not to remediate.

Change Default Credentials

Every new device and every new installation should mean new credentials. No exceptions.

Default usernames and passwords are publicly documented. They are in manufacturer documentation, on vendor support sites, and in searchable databases used by automated scanning tools. These tools scan the internet continuously. A camera with a default password that is accessible from the internet will be found and compromised, typically within the same day it goes online.

This is not a theoretical risk. Default credentials are the most commonly exploited vulnerability in physical security deployments. The Mirai botnet, which took down significant internet infrastructure in 2016, was built almost entirely from compromised cameras and DVRs running default credentials.

Use a password manager to track credentials across devices and installations. Require integrators and vendors to update their passwords regularly. Better yet, only activate vendor accounts when access is needed and disable or delete them when the work is complete. Shared passwords between sites or between staff create risk that compounds over time. One leaked credential should not mean every system you have commissioned is accessible to someone you did not authorize.

On Genetec environments specifically: disable the default admin account after creating named administrator accounts tied to individual users. Every action in Genetec is logged with the account that performed it. If everyone uses a shared admin account, your audit trail is useless.

Enable Logging

Configure logging for authentication events and connections across servers, switches, cameras, and access control systems. Forward events to a centralized logging service.

This is both a security control and a troubleshooting asset. When something goes wrong, whether it is a security event or an operational failure, having a clear record of what happened and when is critical. Without centralized logging, investigations are slow, incomplete, and often inconclusive. With it, you can reconstruct the full sequence of events.

The 5 Ws of any security event: who, what, when, where, and why. Good logging gives you all five. Logging that lives only on the device that was compromised gives you nothing after the attacker covers their tracks.

At minimum, log authentication successes and failures, configuration changes, administrative actions, and network connection events from infrastructure devices. On Windows Server systems, use Advanced Audit Policy Configuration rather than basic audit policies – it provides significantly more granularity and is covered in detail in the audit logging post in this series.

A SIEM is not required for meaningful logging. Even forwarding events to a syslog server that stores them for 90 days is substantially better than no centralized logging. Start somewhere. The logs that exist when something happens are infinitely more useful than the logs you wished you had configured.

Isolate and Segment Networks

Security systems should not share the same unrestricted network as corporate workstations, printers, and guest Wi-Fi.

Network segmentation creates separation between systems based on function. CCTV, access control, corporate, and guest traffic should be isolated into distinct network segments using VLANs or physical switch separation. If one system becomes compromised on a flat network, the attacker can reach everything. Segmentation contains that movement and limits the scope of any incident.

This does not require expensive infrastructure changes. Most modern managed switches and firewalls support VLAN configuration and access policies at entry-level price points. The cost of segmentation at commissioning is a small fraction of the cost of a breach that propagates across a flat network.

A practical segmentation scheme for a physical security deployment on a single site using 10.42.67.0/24 as an example network:

VLAN 99 , Management:      10.42.67.x , Switch SVIs, firewall interfaces
VLAN 100 – Systems:         10.42.67.x , VMS servers (.11, .12), workstations (.20-.50)
VLAN 101 – CCTV:            10.42.67.x , Cameras (.100-.200)
VLAN 102 – Access Control:  10.42.67.x , Panels, controllers (.100-.180)
VLAN 666 – Blackhole:       No routing , Unused ports, no services

For multi-site deployments, use a site-based addressing scheme: 10.<site>.<vlan>.<host>. The VLAN identifier embedded in the address means you can identify what a device is and where it is from the address alone, which matters during troubleshooting at 3 AM.

Implement Multi-Factor Authentication

Use MFA wherever it can be deployed. On VMS platforms, on management interfaces, on VPN access, on anything that controls or provides access to critical systems.

MFA prevents unauthorized access even when passwords are compromised. It is one of the most effective individual controls available and should be treated as a requirement, not an enhancement.

This applies to Active Directory environments, to Genetec Security Center operator accounts, to C-CURE 9000 administrative access, to Milestone Management Client, and to any system where an operator login controls physical security functions. Enabling MFA on these systems is straightforward on modern platforms. The friction for legitimate users is minimal. The friction for an attacker with a compromised password is total.

MFA on privileged accounts and externally-facing services is no longer optional in environments that take security seriously. Many insurance providers and compliance frameworks have reached the same conclusion.

Deploy Central Authentication (AAA)

Deploy, integrate, and use Active Directory where possible to centralize management of users and access. This provides a significant increase in security posture over local accounts scattered across dozens of devices with inconsistent password policies and no central oversight.

In larger deployments, especially multi-server Genetec environments, AD provides centralized authentication, consistent security policy enforcement, and reliable time synchronization across the environment. Kerberos authentication requires synchronized clocks. A 5-minute time difference between a Genetec server and the domain controller will cause authentication failures. Time synchronization is not optional in AD-integrated environments.

Use 802.1X and RADIUS for network access control where possible. This ensures that devices connecting to the network are authenticated before they are allowed to communicate. An unrecognized device connecting to a camera port on a properly configured switch with 802.1X will not get network access. That is exactly the behavior you want.

Central AAA means accountability. Every access event is logged with who performed it, from which system, at what time. When something needs to be investigated, that accountability chain is what makes the investigation conclusive.

Harden Active Directory

If you deploy Active Directory, you need to secure it properly. AD serves as the central authority for authentication and authorization on most enterprise networks. When it is compromised, the attacker effectively owns everything that AD controls.

The low-hanging fruit that must be removed: implement tiered administration, deploy LAPS for local administrator passwords, enforce strong password policies with a length requirement rather than just complexity, disable legacy authentication protocols (NTLMv1, LM hash), and properly configure audit policies. AD should be connected to your centralized logging so that a compromise does not go undetected.

A dedicated Windows Server hardening guide is available in this series. Active Directory hardening goes beyond OS hardening and is covered in the Group Policy hardening post specifically.

Patch and Update Everything

Patching is not limited to Windows Updates. Cameras, access control panels, switches, firewalls, and even UPS units receive firmware updates that address security vulnerabilities. Stay current on updates. When software reaches end of support, it is time to upgrade or implement compensating controls.

For environments where cameras and access control systems run on Windows Server, consider Windows Enterprise LTSC (Long-Term Servicing Channel). LTSC provides security updates without the constant feature changes that can cause compatibility issues with security platforms that have strict OS version requirements. Several VMS platforms and access control systems have explicit LTSC support for exactly this reason.

WSUS for centralized Windows update management. A scheduled firmware review and update process for network infrastructure and cameras. Documented end-of-support dates for every major component. These are the building blocks of a patching program that actually functions.

Back Up Critical Systems and Configurations

Think about your environment. What systems would be painful to rebuild from scratch? Could you actually restore them if you needed to?

Losing an entire cardholder database, a credential management system, or camera configurations is not theoretical. It happens. Ransomware has encrypted physical security systems. Hardware has failed in ways that were not covered by vendor support agreements. And when it does happen, the recovery process is either fast and controlled or slow and chaotic depending on whether tested backups exist.

Switch configurations should be backed up after every change and stored in a version-controlled system. Server configurations and databases should be backed up on a scheduled basis. Those backups should be tested by actually restoring them to a test environment. A backup that completes successfully every night but has never been tested is an assumption, not a safety net.

Follow the 3-2-1 rule: three copies of the data, two different storage media types, one offsite. Encrypt backups, especially offsite copies. Test restores on a quarterly schedule minimum. Document the restore procedure and keep it somewhere other than the system you might need to restore from.

Deploy Endpoint Protection and Monitoring

Workstations and servers should have endpoint protection deployed. Traditional signature-based antivirus is not sufficient on its own. Modern threats require behavior-based detection.

EDR, MDR, or XDR platforms provide visibility and response capabilities that go beyond what legacy antivirus tools offer. Whether you deploy a full managed solution or a centrally managed platform with behavioral detection, make sure it is properly configured, tuned with appropriate exclusions for the security software it is protecting, and actually tested.

For Genetec Security Center servers specifically: antivirus exclusions are critical and must be configured correctly. Incorrect exclusions cause Genetec performance problems that look like hardware or software issues. Genetec publishes specific exclusion lists for their server roles, databases, and media storage paths. Apply them. StreamVault appliances ship with Aurora Protect pre-configured with the correct exclusions – if you replace it with a different product, all exclusions must be configured manually.

Host-based firewall policies should remain enabled and properly configured. Disabling the Windows Firewall to resolve application connectivity issues is a shortcut that introduces significant risk. Identify the specific ports that need to be open and add explicit rules. The firewall log will tell you what is being blocked.

Early detection can be the difference between a contained event and a full-scale incident. Visibility into what is running on your endpoints is the foundation of that early detection.

Putting It Together

Security systems exist to protect people, assets, and operations. The networks they run on deserve the same level of attention.

These controls are not complex and they do not require massive budgets. Most of them can be implemented with existing infrastructure and standard operational discipline. What they require is intent. Someone has to decide that the security network is worth securing.

If you are unsure where your environment stands, start with a review. Identify the gaps. Prioritize based on risk and feasibility. Address them systematically. The checklist at the top of this post gives you a starting framework. None of those items should be permanently red.

The systems that protect your organization should not be the weakest point in your network.