Hi, I'm here because I want to upgrade...

[mm83]

Just ordered three different 5442 S3 from Andy. After the test when it runs I will get the NVR5232-EI and the other 5442. And if my wife has not lynched me by then or blocked my bank account, maybe I'll add an SD4.

 

[jec6613]

There are zero open ports to the net on a windows pc behind a firewall. All these ports listening on your private network are irrelevant.

Your entire posts assumes that your network is compromised and someone has access to it, in that case your are completely fucked so who cares of they also have access to your BI pc. Honestly, in your mind you are thinking, oh shit, if someone has control over my cell phone with all my private data and pics, I must work diligently to prevent them from accessing a windows pc on my network??
Even if this is a concern, they can more easily gain access to the Dahua NVR than a windows pc that has been unpatched for years.

That's not how exploits work. Someone has a malicious app on my phone does not mean they necessarily have all of my data and pics, nor does it mean you're completely fucked. The point is to stop the attack chain as early as possible. Seriously, here's a book for you:

https://a.co/d/cD9VrHS

PS: the print spooler vulnerability CANNOT be executed on a machine that is not already compromised. You are talking about a machine running blue iris, AI and maybe a time server. How is it getting compromised via the print spooler vulnerability.

Please enlighten me as to how NIST and CISA are incorrect?

NVD - CVE-2021-1675

nvd.nist.gov

NVD - CVE-2021-34527

nvd.nist.gov

PrintNightmare, Critical Windows Print Spooler Vulnerability | CISA

www.cisa.gov

Its laughable that you think a dahua NVR is MORE secure. You are talking about a manufacture that IGNORES known vulnerabilities disclosed to it and possibly builds some of them into its code intentionally. Then at the 2 year mark they intentionally stop providing firmware marking the unit EOL....

That's not what I said, I said:

Windows system is incredibly chatty, especially a desktop OS but Server operating systems are not immune, and has far more and more severe vulnerabilities than a Chinese NVR, they're just not necessarily public yet.

Please re-read and carefully parse it. Windows has multiple orders of magnitude more code exposed to the internet, it is expected that it will have more vulnerabilities as even as good as Microsoft code quality is, it's not over 100x better.

But if you want to be insane, any windows user can simply allow windows to install updates and it will do so on its own, or you can do so every few months.

Will you please enlighten me how it's insane to perform step 1 to basic Windows security?

You can also easily place the BI pc and cams on their own vlan.

Yes you could, but that's still at best mediocre practice. BI and the cameras should be on their own VLANs with a firewall between, this is not the case for an NVR and its cameras as the NVR is already micro-segmented.

That's the beauty of it, YOU as the end user can choose what you want to do with a windows pc. The security updates are available. There is absolute no need to start shutting down services that are running on the other 5 windows machines in the house. That is why there is no guide for it.

Other people make guides to it:

Security baselines guide - Windows Security

Learn how to use security baselines in your organization.

learn.microsoft.com

CIS Microsoft Windows Desktop Benchmarks

Download our step-by-step checklist to secure your platform: An objective, consensus-driven security guideline for Microsoft Windows Desktop.

www.cisecurity.org

It was one of the most shocking things to me when I joined was that looking through the BI guides, there's no guide on how to either segment your network (starting from a principled approach) or secure a Windows system running Blue Iris. At least a few dozen lines of powershell to apply parts of the below link would go a long way:

Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center

This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.

www.microsoft.com

 

[TonyR]

It was one of the most shocking things to me when I joined was that looking through the BI guides, there's no guide on how to either segment your network (starting from a principled approach) or secure a Windows system running Blue Iris.

"Shocking?" You're kidding, right?

Since I've been using, buying, building and maintaining personal computers, networks and similar devices beginning in 1973, I don't recall buying a PC, router, modem, switch, PC component, etc. that came with any instructions other than perhaps how to plug it in and turn it on, but certainly no exhaustive "how-to" guide.

I recall on occasions a device would have a reference in it regarding security or application advisories but a guide on "how to segment your network" or "secure a Windows system" ? If there were any, they didn't impress me enough to be of any use or to to be able to recall their existence.

Perhaps that's why there are TONS of "how-to" books and online articles that address that. It's not the duty of a software product's developer to instruct on how to secure your network....that is akin to expecting an automotive aftermarket parts builder of exhaust systems to instruct you on how to drive the car you install their system on.

 

[jec6613]

"Shocking?" You're kidding, right?

Since I've been using, buying, building and maintaining personal computers, networks and similar devices beginning in 1973, I don't recall buying a PC, router, modem, switch, PC component, etc. that came with any instructions other than perhaps how to plug it in and turn it on, but certainly no exhaustive "how-to" guide.

I recall on occasions a device would have a reference in it regarding security or application advisories but a guide on "how to segment your network" or "secure a Windows system" ? If there were any, they didn't impress me enough to be of any use or to to be able to recall their existence.

Perhaps that's why there are TONS of "how-to" books and online articles that address that. It's not the duty of a software product's developer to instruct on how to secure your network....that is akin to expecting an automotive aftermarket parts builder of exhaust systems to instruct you on how to drive the car you install their system on.

If I wasn't clear, I was refering to IPCamTalk's guides, not Blue Iris (or any other vendor) itself, because I've also had very few guides like that come along, usually from Juniper, Cisco, Microsoft, the really big players and written because they employ PhD's and writing the books is a side job. IPCamTalk is a bunch of user-generated content that really should cover all of those cases though.

Though since you mentioned it, I looked at the BI forums and found that the developer provides a more comprehensive guide (not sure when this became a thing, I've been running BI for so long and my day job keeps my knowledge current for Windows). It's still not great, but it's certainly better than what's on IPCamTalk for system configuration.

 

[TonyR]

If I wasn't clear, I was refering to IPCamTalk's guides, not Blue Iris

In other words, you've read the THOUSANDS of pages of this forum, many of which address what you speak of, long BEFORE you joined 5 days ago, you've read those THOUSANDS of pages SINCE you joined 5 days ago OR......you're clairvoyant and know that NONE of what you speak of is addressed in those THOUSANDS of pages in IPCT.

Which is it?

 

[jec6613]

In other words, you've read the THOUSANDS of pages of this forum, many of which address what you speak of, long BEFORE you joined 5 days ago, you've read those THOUSANDS of pages SINCE you joined 5 days ago OR......you're clairvoyant and know that NONE of what you speak of is addressed in those THOUSANDS of pages in IPCT.

Which is it?

If they are addressed, they're not above the fold in any of the stickied posts in the BI section or Cybersecurity section, or IP Cam Talk Wiki

If such guides exist here, I'm happy to be proven wrong, please link them.

In the meantime, compare and contrast that to the first party option, a neatly organized configuration guide that goes into surprising depth: Blue Iris - Self Help Content

 

[Gimmons]

Excellent discussion.

 

[mm83]

Excellent discussion.

I got tons of usefull information in between, I am very grateful for this!

Regardless of whether BI or China-NVR, these come into their own network segment that is protected from the outside by network rules and a packet filter firewall and the two people who are allowed to access video-data dial into the segment via VPN. And even then, only the service that is required to operate the interface is released through the VPN tunnel. So I can ignore all updates of cameras/NVR/BI and still sleep relaxed. In Europe, until a few years ago, there were still banks that operated their ATMs in this way with Windows NT 3.5 and Win XP . One cheap router running OpenWRT can do this, even if I use UniFi for this, but only because it is here anyway.

How I get push messages and warnings out I still have to look at though, could still be a critical point.