Secure your player
Introduction
This page provides recommended practices for securing SpinetiX players in a customer deployment.
SpinetiX players are dedicated digital signage appliances, but their security also depends on how they are configured and how they are connected to the network. The recommendations below help reduce unnecessary exposure, protect administrative access, and keep the player aligned with common IT security practices.
For general information about the security model of SpinetiX players, see Security.
Quick checklist
Before putting a player into production, review the following points:
- Protect access to the player web interface.
- Use HTTPS access when available.
- Keep the player firmware up to date.
- Avoid exposing the player directly to the public Internet.
- Restrict access to the player from trusted networks or trusted hosts only.
- Use secure publishing to the player content server.
- Disable or restrict services that are not required in the deployment.
- Keep SNMP disabled unless it is explicitly needed for monitoring.
- Use network segmentation, such as a dedicated VLAN, where appropriate.
- Review vulnerability scanner findings in the context of the player firmware and enabled services.
Protect access to the player web interface
The player web interface provides access to the player configuration, status information, and management tools. Access to this interface should always be protected with strong credentials.
On DSOS players, user accounts and passwords are managed from the User manager tool in Control Center.
Recommended practices:
- Change the default administrator password during the initial configuration.
- Use strong, unique passwords for all player users, and for each deployment.
- Do not reuse passwords from other systems.
- Create separate accounts for different users when multiple people need access.
- Give users only the rights they need.
- Remove accounts that are no longer required.
- Change passwords when staff, integrators, or service providers no longer require access.
On legacy HMP players, access passwords are configured from the Security settings 3.x page.
Use appropriate user rights
When creating users, avoid giving administrator rights unless they are required.
Typical access levels include:
- read-only access for users who only need to view information;
- content authoring rights for users or systems that need to publish content;
- administrator rights for users who need to configure the player.
For details about available rights and user management, see User manager tool.
Use HTTPS where available
DSOS players can be accessed using HTTPS when the appropriate certificate configuration is present on the player.
Recommended practices:
- Prefer HTTPS over HTTP for accessing the player embedded web server.
- Install and maintain the required server certificates when HTTPS access is used.
- Avoid sending credentials over untrusted networks.
Secure content publishing
The player content server is used by Elementi and other clients to publish content to the player using WebDAV.
Recommended practices:
- Protect publishing access with credentials.
- Create users with content authoring or administrator rights only when required.
- Prefer secure publishing over HTTPS where available.
- Do not expose the content server to untrusted networks.
- Keep insecure publishing disabled unless explicitly required for compatibility with older firmware or legacy workflows.
Starting with firmware 4.3.0, the player allows connections to its publish server over secure HTTP only, except for compatibility cases when updating from older firmware versions that do not support TLS-SRP.
For details, see Player content server.
Keep firmware up to date
Keeping the player firmware up to date is an important part of maintaining a secure deployment.
Firmware updates may include security fixes, library updates, improvements, service hardening, bug fixes affecting reliability and network behavior.
Recommended practices:
- Run a supported firmware version.
- Review the relevant DSOS release notes before updating.
- Test firmware updates on a representative player before rolling them out to a large deployment.
- Keep a regular maintenance process for checking and applying updates.
Review network exposure
Avoid exposing players directly to the public Internet. Direct exposure, for example by forwarding ports from an Internet router to the player, increases the risk of unwanted access attempts, password attacks, denial-of-service traffic, or exploitation of any future vulnerability.
Recommended practices:
- Keep players on a trusted internal network.
- Use a VPN or other controlled remote-access solution when remote administration is required.
- Restrict inbound access using firewall rules.
- Allow access only from trusted administrator workstations, management servers, or publishing systems.
- Use a dedicated VLAN or isolated network segment for digital signage players where appropriate.
- Do not open inbound ports from the Internet unless there is a specific, reviewed requirement.
See the proposed solutions for remote access to the player.
Review required ports and services
Only enable or expose services that are required by the deployment.
Common player services include:
| Type | Port | Usage | Recommendation |
|---|---|---|---|
| TCP | 80 | HTTP access to the embedded web server | Restrict to trusted networks; prefer HTTPS where possible. |
| TCP | 443 | HTTPS access to the embedded web server | Prefer this for web interface access when configured. |
| TCP | 81 | WebDAV access to the player content server | Restrict to trusted publishing systems; prefer secure publishing. |
| TCP | 9802 | Secure WebDAV access to the player content server | Prefer this for secure publishing when available. |
| TCP / UDP | 161 | SNMP monitoring | Keep disabled unless required; restrict access if enabled. |
| UDP | 1900 | SSDP / UPnP discovery | Disable if not required by the deployment. |
| UDP | 5353 | Multicast DNS / Bonjour discovery | Disable if not required by the deployment. |
| TCP / UDP | 5355 | LLMNR local name resolution | Restrict or disable if not required by the deployment. |
For the full list of player ports, see Network ports.
Restrict SNMP access
SpinetiX players support SNMP version 2c with read-only access. SNMP access is disabled by default for security reasons.
If SNMP monitoring is required:
- enable it only for trusted monitoring systems;
- restrict access to a specific IPv4 address range whenever possible;
- avoid enabling unrestricted SNMP access;
- use firewall rules to limit access to SNMP ports;
- review monitoring requirements periodically.
For details, see SNMP monitoring.
Use secure network access controls
Where supported by the player and the network infrastructure, use port-based access control to prevent unauthorized devices from connecting to the network.
Recommended practices:
- Use IEEE 802.1X on supported player models.
- For other models, consider MAC address filtering or MAC Authentication Bypass in protected network environments.
- Place players on a dedicated VLAN where appropriate.
- Restrict communication between the player VLAN and other internal networks.
- Allow only the traffic required for content publishing, monitoring, time synchronization, DNS, proxy access, or cloud services used by the deployment.
For related configuration options, see Network settings.
Secure Internet access from the player
Players often need outbound Internet access to retrieve content, synchronize time, access external data sources, or connect to cloud services.
Recommended practices:
- Allow only the outbound traffic required by the deployment.
- Use a corporate proxy where required by the IT policy.
- Configure DNS, gateway, NTP, and proxy settings according to the customer network policy.
- Avoid giving the player unrestricted access to internal systems it does not need.
- Review any external URLs, feeds, widgets, or web content used in the project.
For related configuration options, see Network settings.
Protect saved credentials
Players and Elementi may use credentials to access external web resources or publish content.
Recommended practices:
- Store only credentials that are required by the project.
- Use dedicated service accounts rather than personal accounts where possible.
- Limit the rights of accounts used by players.
- Rotate credentials when access is no longer required.
- Remove obsolete saved passwords from the player configuration.
- Protect configuration backups because they may contain sensitive configuration data.
For details, see Credentials.
Disable unused discovery services
Discovery protocols can make deployment and maintenance easier, but they may not be needed in all environments.
Recommended practices:
- Keep Bonjour, UPnP, and similar discovery services enabled only when required.