Setting up Security

Caution: Ensure system operates at a security level that matches your organization's requirements

As an administrative user, you must ensure your system operates at a security level that matches the requirements of your organization.

By introducing this appliance into your network, you accept that there are risks involved in deploying the system, and you acknowledge that you have reviewed the default PCoIP Management Console and CentOS configuration and have performed any other changes to make the security level appropriate for your deployment.

Note: Update your software to the current release

From time to time, updates may be made available, either from Teradici or the developers of CentOS. While Teradici recommends staying current on releases, it is also recommended that you test updates on a test system prior to upgrading your production system or back up a snapshot of the PCoIP Management Console before running the update.

The OS admin user must use the sudo command when performing actions that require elevated privileges.

Note: Non-root Linux passwords must be at least ten characters long

Non-root Linux passwords must be at least ten characters long and contain one each of upper case, lower case, decimal, and special characters. When changing a non-root Linux password, the new password must be at least four characters different from the previous password.

The following table contains some further recommendations for securing your PCoIP Management Console over and above the default CentOS security configuration undertaken by Teradici.

PCoIP Management Console Security Recommendations

Recommendations Description
Network security Configure your corporate firewall as follows:
  • Block inbound traffic from unsecured networks to the PCoIP Management Console on all ports (for example, block traffic from the Internet).
  • Block outbound traffic from the PCoIP Management Console to unsecured networks on all ports except for ports 80 and 443. Port 80 must be open for system updates and port 443 for system updates and licensing.
Operating system security
  • Change the default passwords for the virtual machine admin user, root user, and web UI admin user immediately after installing the PCoIP Management Console. See Accessing the PCoIP Management Console Virtual Machine Console.
  • Ensure the CentOS firewall only allows port access to the ports that are required for the PCoIP Management Console to run. See Default firewall port settings are as follows.
  • Update CentOS third-party packages on a regular basis using the sudo yum update "package" command.
    Note: Prior to updating your production system
    To ensure that a library update does not cause problems, Teradici recommends that you perform updates on a test system (or that you take a snapshot of the PCoIP Management Console) before updating your production system. See Backing Up PCoIP Management Console Database.
  • Remove external NTP server references. See NTP Configuration Considerations
  • PCoIP Management Console web UI security
  • Create a new PCoIP Management Console web UI administrative user and disable the default admin account and provide the desired role. (PCoIP Management Console Enterprise only).
    Note: Re-enabling admin account
    If you have disabled the admin account and plan to revert the PCoIP Management Console Enterprise to PCoIP Management Console Free, this account must be re-enabled before you can log in again to the PCoIP Management Console web UI. Alternatively, you can run a script from the PCoIP Management Console virtual machine console to re-enable the default admin account.
  • Replace the PCoIP Management Console certificate with your own custom certificate and upload it to all endpoints. See Managing PCoIP Management Console Certificates.
  • Check the Teradici support site for the latest PCoIP Management Console release.
  • Enable HTTP Strict Transport Security (HSTS) HTTP Strict Transport Security (HSTS) is a policy that helps protect web server appliances against particular types of attacks against the communication between the web browser and the web server.
    See HTTP Strict Transport Security for details on how to enable HSTS.
    Important: Requirements
    HTTP Strict Transport Security (HSTS) requires:
  • PCoIP Management Console have a proper trusted certificate installed
  • The chain or root certificate installed in the browser used to connect to the PCoIP Management Console