The AEM Screens Security Checklist page describes the key security areas with a checklist of questions and considerations.
|AEM and Screens Software updates||a. Has the latest Adobe Experience Manager (AEM) service pack been applied?
b. Has the latest AEM Screens Feature Pack been applied?
c. Are you using the latest available AEM Screens Player software from AEM Screens Player Downloads?
|Physical Security||a. Have you disabled all unnecessary ports?
b. Have you secured cabling and hardware?
c. Are you using any containers if applicable?
|Network Security||a. Are you using an isolated subnet for your signage devices?
b. Does the isolated subnet allow access to the required endpoints including AEM, Adobe Analytics or other required services?
c. Have you secured your Wi-Fi using enterprise best practices?
d. If using synchronized playback have you allowed TCP 24503 for WebSocket only on the master device(s)?
e. Have you unblocked the range of IP addresses of the player devices so only authorized devices can access the registration service on author?
|Operating System Security||a. Have you upgraded to the latest version of the operating system and applied all necessary security patches?
b. Have you disabled all unnecessary services and removed unnecessary applications?
c. Have you enrolled the device into device management to enforce enterprise policies?
d. Have you locked down the device to single application (player) kiosk?
e. Do you have a Standard Operating Procedures (SOP) in place for installing OS security updates over time?
f. Have you followed the security best practices for the Operating System in use such as anti-malware software, non-administrative user?
|Application Security||a. Have you disabled the Admin UI, Channel Switcher and Activity UI for production?
b. Have you minimized the log level for production?
c. Are you using https for connecting to AEM?
d. Are you using a CA signed certificate or an enterprise PKI? (not self signed certificates)
e. Are you using TLS and not SSL v3?
f. Are you validating the registration token on device and AEM when registering?
g. Have you classified the data being used and that no PII or PHI exists on device?
h. Have you classified the data being used and that no Personally Identifiable Information (PII) or Protected Health Information (PHI) exists on device?
i. Have you configured monitoring E-mails, and do you have an SOP in place for responding to monitoring emails and handling non-pinging devices?
|Access Control||a. Do you have a Role Based Access Control (RBAC) identified and managed in-house?
b. Have you followed the principle of least privilege in providing access to authors, administrators and players using best practices from Adobe?
To download the AEM Screens Security Checklist, click here.