Security Reference Guide

Crestron Flex UC-ENGINE

Crestron Electronics, Inc.

The original language version of this document is U.S. English.
All other languages are a translation of the original document.

Crestron product development software is licensed to Crestron dealers and Crestron Service Providers (CSPs) under a limited
nonexclusive, nontransferable Software Development Tools License Agreement. Crestron product operating system software is
licensed to Crestron dealers, CSPs, and end-users under a separate End-User License Agreement. Both of these Agreements can
be found on the Crestron website at www.crestron.com/legal/software_license_agreement.

The product warranty can be found at www.crestron.com/warranty.

The specific patents that cover Crestron products are listed online at www.crestron.com/legal/patents.

Certain Crestron products contain open source software. For specific information, please visit www.crestron.com/opensource.

Crestron, the Crestron logo, Crestron Fusion, and XiO Cloud are either trademarks or registered trademarks of Crestron
Electronics, Inc. in the United States and/or other countries. Intel is either a trademark or registered trademark of Intel
Corporation in the United States and/or other countries. Active Directory, Azure, Microsoft, Microsoft 365, Microsoft Dynamics
365, Microsoft Intune, Microsoft Teams, Office 365, Skype, and Windows are either trademarks or registered trademarks of
Microsoft Corporation in the United States and/or other countries. USB Type-C is either a trademark or registered trademark of
USB Implementers Forum, Inc. in the United States and/or other countries. Miracast and Wi-Fi are either trademarks or
registered trademarks of Wi-Fi Alliance. Zoom Rooms is either a trademark or registered trademark of Zoom Video
Communications, Inc. in the United States and/or other countries. Other trademarks, registered trademarks, and trade names
may be used in this document to refer to either the entities claiming the marks and names or their products. Crestron disclaims
any proprietary interest in the marks and names of others. Crestron is not responsible for errors in typography or photography.

©2024 Crestron Electronics, Inc.

Revision History
Rev Date Notes Author(s)

A March 7, 2020 Initial version SD, JZ

B February 7, 2023 Significant update to all topics based on latest IH, JZ, MH
UC-ENGINE functions and specifications

C August 5, 2024 Added information regarding Microsoft® Autopilot IH, DP

support for UC-ENGINE deployments using Microsoft
Teams® software.

Please send comments and change recommendations to:

SecurityDocs@crestron.com

Security Reference Guide — Doc. 8726C Crestron Flex UC-ENGINE • i

Contents
Introduction 1
Intended Operational Environment 1
Security Policies 1

System Specifications 2
Product Software - Security Features 2
User Authentication 2
Audit Logging 2
Connectivity 2
Software Updates and Patches 3
Operating System 3
Antivirus and Antimalware 3
Network Configuration 3
Third-Party Software 4
Microsoft Teams Rooms 4
Zoom Rooms 4

Network Infrastructure 5
Microsoft Network Architecture Diagrams 5
Network Port List 5
VLAN 7

Security Controls 8
Malware and Vulnerability Protection 8
Security Applications 8
Vulnerability Protection 8
Remote Connectivity 8
Role-Based Access Control 8
Password Security 8
Data Segregation 9
Cloud Storage 9
Physical Protection 9
Audit Logging 9
Data Protection 9
Security Best Practices 9
More Security Information 10

ii • Contents Security Reference Guide — Doc. 8726C

Introduction
This guide serves as a security reference and provides best practices for deploying all variants of the
Crestron UC-ENGINE, a powerful Mini PC sold exclusively as part of a complete Crestron Flex UC
system and designed for use in a Microsoft Teams® or Zoom Rooms™ software environment. The
following information applies to the Dell® and Intel® Mini PCs that are included within various Crestron
Flex kits.

Intended Operational Environment

The UC-ENGINE is central to a complete Crestron Flex system, providing powerful processing
performance, Gigabit Ethernet, and complete connectivity for one or two HD displays, USB cameras,
and one USB audio conferencing device. It is designed for installation in meeting rooms to host video
calls when connected to a Microsoft Teams or Zoom Video Meeting service.

The UC-ENGINE comes preassembled on a bracket assembly as part of a Crestron Flex kit. Other
peripherals must be provided by the user. For more information on Crestron Flex kits, refer to the
Crestron Flex feature page.

The following diagram provides an example of devices and connections that are common within a
typical Crestron Flex system.

Security Policies
For general security policies, refer to the Crestron security web page.

Security Reference Guide — Doc. 8726C Crestron Flex UC-ENGINE • 1

System Specifications
For general product specifications, refer to the product page for your Crestron Flex kit.

Product Software - Security Features

The following security features are supported.

NOTE: To view security features for other Crestron devices that may be included within a Crestron
Flex deployment (such as touch screens or AirMedia® presentation ), refer to the applicable security
documentation at security.crestron.com.

User Authentication
When using a Microsoft Teams device, two accounts are set up by default: a Microsoft Teams account
and a default Admin account for administrating the UC-ENGINE.

When using a Zoom Rooms device, two accounts are setup as default: a CrestUC account and a default
Admin account for administrating the UC-ENGINE.

CAUTION: The password for the default CrestUC or default Microsoft Teams account must not be
changed. If changed, the device will require a reimage.

Audit Logging
System tasks use Windows® standard audit logging. Security-related application tasks are logged and
stored in the audit log.

Connectivity
The UC-ENGINE supports connectivity to Microsoft Teams or Zoom Meeting services and can utilize the
following management portals:
l XiO Cloud® Provisioning and Management Service
l Crestron Fusion® Cloud Software
l Microsoft Teams Admin Center
l Zoom Admin Portal
l Microsoft Intune® Service

2 • Crestron Flex UC-ENGINE Security Reference Guide — Doc. 8726C

Software Updates and Patches
Software updates are managed automatically through Windows Update. The UC-ENGINE can be
updated through most network domain management systems. For best practices in using and
managing Windows Update, refer to the Manage Windows Updates document.

Optionally, Zoom devices may be managed through the Zoom admin portal. For more information, refer
to the Zoom Help Center article.

Operating System
The UC-ENGINE uses the Windows 10 IoT Enterprise operating system with Windows Firewall turned on
by default. Configuration of the operating system is required (refer to Network Configuration on page
3).

Antivirus and Antimalware

Standard Windows 10 services including Windows Defender and Windows Firewall are turned on by
default and are updated automatically.

Network Configuration
The UC-ENGINE is configured with the following settings. Additional action may be taken where
applicable.
l DHCP: A standard DHCP configuration is provided.
l Wi-Fi® Communications: Wi-Fi communications are turned on in Windows, but not supported on
the UC-ENGINE.
l Hardening: The UC-ENGINE may be hardened like any other Windows device under the condition
that all Crestron services and ports are left active. Microsoft Teams or Zoom Rooms must be left
accessible.
l Unneeded Accounts: The built-in Admin account can be removed or disabled as long as the device
is domain attached. Doing so allows administrators to use any domain-level admin account to log
in.
l File Share: No file share is turned on by default.
l Unneeded Ports: Any ports besides those listed on the Network Port List on page 5 may be
disabled.
l Unneeded Services: All Crestron services must remain turned on. Any standard Windows services
can be turned off as needed.
l Unneeded Applications: All Crestron applications must remain turned on. Any standard Windows
applications can be turned off as needed.
l Restriction of External (USB) Devices: There is no restriction of external USB devices. However,
Crestron recommends only connecting USB devices that are included in the Crestron Flex kit, sold
by Crestron, or are certified for use with Crestron Flex systems.
l Authentication of External Devices (such as USB Type-C® Authentication Specification): No
authentication is provided.

Security Reference Guide — Doc. 8726C Crestron Flex UC-ENGINE • 3

 l Certified Software: The UC-ENGINE is compatible with third-party software and firmware that
has been certified for use with Crestron Flex systems.
o Certified firmware versions for USB audio and video peripherals (for Microsoft Teams
deployments)

Third-Party Software
All third-party and open source software and licenses used in Crestron applications are detailed in the
EULA included with the device. The UC-ENGINE is shipped with either a Microsoft Teams Rooms system
or a Zoom Rooms system. Each of these applications are created and owned by Microsoft® or Zoom
respectively.

Microsoft Teams Rooms

The Microsoft Teams Rooms app is a customized Microsoft Teams client created by Microsoft
specifically for room systems. The application is preinstalled as part of the device image created by
Crestron and starts automatically as the main interface on the UC-ENGINE.

All updates to the Microsoft Teams Rooms application, including security and feature updates, are
automatically installed by the Windows Store. All security and feature updates are delivered in this
manner. Users may not manually install updates to the Microsoft Teams Rooms application.
Configuration of the Microsoft Teams Rooms application is done by selecting the Settings option under
the More button on the main interface screen.

For information on the configuration options available, refer to the Microsoft Teams Rooms
Deployment Guide.

NOTE: UC-ENGINE devices running Microsoft Teams are Microsoft Autopilot ready, which allows for
fast provisioning and deployment of Microsoft Teams Room systems. Tenant management and
conditional access policies should be reviewed as part of a secure deployment. For more information
on Microsoft Autopilot, refer to Microsoft® Autopilot Support on Crestron Flex Teams UC-ENGINES.

Zoom Rooms
The Zoom Rooms app is a customized Zoom Meetings client created by Zoom specifically for room
systems. The application is preinstalled as part of the device image created by Crestron and starts
automatically as the main interface on the UC-ENGINE when it is in Zoom mode.

All updates to the Zoom Rooms application can be applied either manually or automatically through the
Zoom admin portal. Crestron also periodically provides updates to the Zoom Rooms application that
can be installed manually on the UC-ENGINE. However, Crestron does not publish all Zoom Rooms
updates.

For configuration instructions, refer to the Zoom documentation.

4 • Crestron Flex UC-ENGINE Security Reference Guide — Doc. 8726C

Network Infrastructure
The following sections describe information regarding the UC-ENGINE network infrastructure.

Microsoft Network Architecture Diagrams

Microsoft provides the following network architecture diagrams that should be referenced as needed
depending on your organization's Microsoft Teams deployment. The network architecture diagrams are
provided as PDF files.
l Microsoft Cloud for IT Architects Illustrations: Provides information about Microsoft cloud
services, including Microsoft 365®, Azure® Active Directory® (Azure AD), Microsoft Intune®,
Microsoft Dynamics 365®, and hybrid on-premises and cloud solutions.
l Microsoft Teams IT Architecture and Voice Solutions Posters: Provides information about
Microsoft Teams as part of Microsoft 365, groups in Microsoft 365, and Microsoft voice solutions.

Network Port List

The following ports are in use:

Function Category Destination Port From (Sender) To (Listener) Notes

Miracast A/V AirMedia 4570/UDP End User Device The default port
Workstations for Miracast
A/V, only open
during video
presentation

AirMediaV2 AirMedia 47000/TCP End User Device AirMedia client

Audio/Video Workstations control, used by
AirMedia
application
running on PC

AirMediaV2 AirMedia 47010/TCP End User Device AirMedia

Audio/Video Workstations audio/video
streams

AirMediaV2 AirMedia 5353/UDP End User Device AirMedia

Discovery Workstations Presentation
Gateway
discovery, used
for
autodiscovery

AirMediaV2 AirMedia 6000– End User Device AirMedia

Audio/Video 7000/TCP/UDP Workstations audio/video
streams

Security Reference Guide — Doc. 8726C Crestron Flex UC-ENGINE • 5

 Function Category Destination Port From (Sender) To (Listener) Notes

AirMediaV2 AirMedia 7011/UDP End User Device AirMedia control

Control Workstations channel
information

AirMediaV2 AirMedia 7100/TCP End User Device AirMedia client

Control Workstations control, used by
AirMedia
application
running on PC

AirMediaV2 AirMedia 7200–7201/TCP End User Device AirMedia control

Control Workstations channel
information

Miracast RTSP AirMedia 7236/TCP Device End User Default port for
Workstations Miracast RTSP

Miracast MS- AirMedia 7250/TCP End User Device Microsoft

MICE Workstations extension for
Miracast
Infrastructure
Mode

AirMedia V2 AirMedia 7300/TCP End User Device Chrome®

Control Workstations extension
signaling
channel
(AirMedia
support for
Chromebooks)
(Day 9)

NTP Common 123/UDP Device NTP Server Network Time

Service Protocol (NTP)
Ports

SSH/SFTP Common 22/TCP Admin Device Used for Cloud

Service Workstation Configuration,
Ports Console, and
File Transfer

LDAP Common 3268/TCP Device LDAP Server LDAP queries

Service targeting global
Ports catalogs

HTTPS Common 443/TCP Admin or End Device Secure Web

Service User Configuration
Ports Workstation for Crestron
Mercury® device

DHCP Common 67/UDP Device DHCP Server DHCP

Service Addressing
Ports

6 • Crestron Flex UC-ENGINE Security Reference Guide — Doc. 8726C

 Function Category Destination Port From (Sender) To (Listener) Notes

DHCP Common 68/UDP DHCP Server Device DHCP

Service Addressing
Ports

HTTP Common 80/TCP Admin or End Device Main web page

Service User for downloading
Ports Workstation AirMedia
application

Crestron-CIP Crestron 41794/TCP Device Fusion Crestron

Control Internet
Protocol - used
for Fusion
Servers

Crestron-CIP Crestron 41794/TCP Third-Party Device Crestron

Control Display Connected®
protocol

Crestron-CIPS Crestron 41796/TCP Device Crestron Crestron

Control Fusion Internet
Protocol Secure,
used for
Crestron Fusion
Servers

Crestron-CIPS Crestron 41796/TCP Third-Party Device Crestron

Control Display Connected
protocol

Autodiscovery Flex UC- 42872/UDP Device UC-ENGINE Crestron

of UC-ENGINE Engine Mercury device

Touch and Flex UC- 49500/TCP or Device UC-ENGINE Crestron

signaling Engine UDP Mercury device
(TLS 1.2)

Video (TLS 1.2) Flex UC- 49501/TCP or Device UC-ENGINE Crestron

Engine UDP Mercury device

HTTPS XiO Cloud 443/TCP Device XiO Cloud XiO Cloud

service service

VLAN
In order to ensure proper functionality, ensure the display devices and UC-ENGINE are on the same
VLAN.

Security Reference Guide — Doc. 8726C Crestron Flex UC-ENGINE • 7

Security Controls
Crestron devices use industry standards like Build Security in Maturity Model (BSIMM) benchmarks,
Open Group ACS Trusted Technology Provider Framework, and NIST when considering security.

Malware and Vulnerability Protection

The UC-ENGINE provides the following malware and vulnerability protection.

Security Applications
The following Microsoft applications are included on the Crestron Flex UC-ENGINE:
l Enhanced Mitigation Experience Toolkit (EMET)
l AppLocker
l Backup Solutions
l User Account Control
l Windows Defender

Vulnerability Protection
If vulnerabilities or other issues are found, a patch will be made available to customers. If the patch is
not urgent, the Crestron support team will work with the customer to identify a time to apply the patch.
If the patch fixes a critical vulnerability, the customer will be informed when the patch will be applied.

Upon identifying an attack, immediate steps will be taken to close access as soon as possible. Once the
attack is halted, forensic analysis will be taken to identify any customer data that may have been
accessed. Customers will then be alerted about the impact of the attack and any of their data that may
have been accessed.

Remote Connectivity
Remote users' activities are logged by Crestron and may be reviewed as needed. No third parties are
granted access to this information.

Role-Based Access Control

Use the principle of least privilege (POLP) when establishing access control for user accounts.

Password Security
Ensure all used passwords meet following criteria:

8 • Crestron Flex UC-ENGINE Security Reference Guide — Doc. 8726C

 l Minimum length of 7 characters
l Passwords changed every 90 days
l 30 minute lockout after 5 failed attempts in 2 minutes.

For front-end XiO Cloud account user passwords, single sign-on (SSO) may be used, allowing for
corporate password policies to be applied. For back-end accounts, two-factor authentication is used.

Data Segregation
The UC-ENGINE segregates data as follows.

Cloud Storage
All data stored in the cloud is kept in a multitennant database.

Physical Protection
All physical servers are managed by Microsoft Azure in the eastern and western United States.
Authenticated remote access to servers is limited to named members of Crestron's engineering and
operations teams. Access to business premises containing servers is managed by Microsoft Azure.
Access to Crestron facilities is limited to invited guests and employees with badge access.

Audit Logging
Standard Windows security logging and auditing is used. Crestron applications write all security events
to text based log files on the system that can be manually audited by administrators.

Data Protection
Data transmitted via Crestron cloud-based software such as the XiO Cloud service is encrypted over
TLS 1.2 (AES 256 in transit, AES 128 at rest). The device does not sent PHI (Protected Health
Information) or PII (Personally Identifiable Information), only NPI (Non-Personal Information) such as
business contact information classified as such in the United States. Data at rest is protected with
encrypted hard disks. No data is stored on company servers.

Software development follows OWASP (Open Web Application Security Project) best practices.

Security Best Practices

For optimal security while operating the Crestron Flex UC-ENGINE, observe the following best
practices:
l Do not access the internet using a web browser on the device.
l Do not directly expose the device to the internet.

Security Reference Guide — Doc. 8726C Crestron Flex UC-ENGINE • 9

 l Never install unapproved software.
l Use the system only for its intended purpose.

More Security Information

For more information regarding security practices for Crestron devices, visit the Crestron security web
page.

10 • Crestron Flex UC-ENGINE Security Reference Guide — Doc. 8726C

Crestron Electronics, Inc. Security Reference Guide — Doc. 8726C
15 Volvo Drive, Rockleigh, NJ 07647 08/05/24
Tel: 888.CRESTRON Specifications subject to
Fax: 201.767.7656 change without notice.
www.crestron.com