Mago Room Security
Mago Room was designed to be appliance-like, ensuring a consistent, “walk-up” user experience without sacrificing security. Re Mago works with our partners to deliver a solution that is secure and doesn’t require additional actions to secure Mago Room System. This article discusses many of the security features found in Mago Room.
Mago Room System should not be treated like a typical end-user workstation. Not only are the use cases vastly different, but the default security profiles are also different. This section applies to Mago Room System devices running on Windows.
Limited end-user data is stored on Mago Room. End-user data may be stored in the log files for troubleshooting and support only. At no point can an attendee of a meeting using Mago Room copy files to the hard drive or sign in as themselves. No end-user data is transferred to, or accessible by, the Mago Room device.
Even though end users can’t put files on a Mago Room hard drive, Microsoft Defender is still enabled. Mago Room performance is tested with Microsoft Defender. Disabling this or adding endpoint security software can lead to unpredictable results and potential system degradation.
Hardware Security
In a Mago Room environment, there’s a central compute module that runs Windows 10 IoT Ent or Pro editions. Every certified compute module must have a secure mounting solution, a security lock slot (for example, Kensington lock), and I/O port access security measures to prevent the connection of unauthorised devices. You can also disable specific ports via Unified Extensible Firmware Interface (UEFI) configuration.
Every certified compute module must ship with Trusted Platform Module (TPM) 2.0 compliant technology enabled by default. TPM is used to encrypt the login information for the Mago Room resource account. Secure boot is enabled by default.
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. For more information, see Secure boot. Access to UEFI settings is only possible through attaching a physical keyboard and mouse. This prevents being able to access UEFI via the Mago Room touch-enabled console as well as any other touch-enabled displays attached to Mago Room.
Kernel Direct Memory Access (DMA) Protection is a Windows 10 setting that is enabled on Mago Room. With this feature, the OS and the system firmware protect the system against malicious and unintended DMA attacks for all DMA-capable devices:
During the boot process
Against malicious DMA by devices connected to easily accessible internal/external DMA-capable ports, such as M.2 PCIe slots and Thunderbolt 3, during OS runtime
Mago Room also enables Hypervisor-protected code integrity (HVCI). One of the features provided by HVCI is Credential Guard. Credential Guard provides the following benefits:
Hardware Security
NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualisation, to protect credentials
Virtualisation-based Security
Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
Better Protection against Advanced Persistent Threats
When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualisation-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can’t extract secrets that are protected by virtualisation-based security.
Software Security
After Microsoft Windows boots, Mago Room automatically signs into a local Windows user account named Mago. The Mago account has no password. To make the Mago account session secure, the following steps are taken.
Don’t change the password or edit the local Mago user account. Doing so can prevent Mago Room from automatically signing in.
For Mago Room to be used in communal spaces such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10. Mago Room supports these Windows 10 security features:
UEFI Secure Boot
BitLocker Drive Encryption
Trusted Platform Module (TPM)
Windows Defender
User Account Control (UAC) for access to the Mago Room Settings
Kiosk Mode
The Mago Room System runs using the less privilege feature that limits the application entry points exposed to the user. This is what enables app launcher kiosk mode. Using standard windows shell UI suppression, Mago Room is configured as a kiosk device that runs a Windows desktop application as the user interface.
Enabling Kiosk Mode in Mago Settings, the traditional Explorer shell does not get launched at all. This greatly reduces the Mago Room vulnerability surface within Windows. Additionally, lock down policies are applied to limit non-administrative features from being used. A keyboard filter is enabled to intercept and block potentially insecure keyboard combinations that aren’t covered by security enforced policies. Only users with local or domain administrative rights are permitted to sign into Windows to manage Mago Room. These and other policies applied to Windows on Mago Room devices are continually assessed and tested during the product lifecycle.
Session Security and Data Safety
During a meeting session, users have access to a limited set of directories on Mago Room:
Meetings (secure cache available only during live sessions)
My Documents (optional)
Files saved locally in these directories are deleted when users end the session (e.g. by pressing “End session” or disconnecting the personal device if on BYOD). To save content created during a session, users should save files to a USB drive, a connected personal Cloud drive or using the “send by email” feature.
Post working session, data is wiped from the system to protect sensitive information. Next user or group gets a clean slate to work from.
Account Security
Mago Room devices include an administrative account named “Admin” with a default password. We strongly recommend that you change the default password as soon as possible after you complete setup.
If you delete or disable the Admin account before granting local Administrator permissions to another local or domain account, you may lose the ability to administer and configure the Mago Room device. If this happens, you’ll need to reset the device back to its original settings and complete the setup process again. Do not grant local Administrator permissions to the Mago user account.
Network Security
Generally, Mago Room has the same network requirements as any VC client installed on a standard desktop PC. Access through firewalls and other security devices is the same for Mago Room as for any other VC client (i.e. Zoom, Google Meet, Microsoft Teams Desktop, Cisco Webex). Mago Room also needs access to Windows Update, and Microsoft Intune (if you use Microsoft Intune to manage your devices). For the full list of IPs and URLs required for Mago Room VC systems, see:
Zoom
Microsoft Teams
Google Meet
Cisco Webex
Windows Update
Microsoft Intune
We strongly recommend to configure to automatically Windows updates policies, including security updates (i.e. every day beginning at 2:00am. There is no need to use additional tools to deploy and apply Windows Updates. Using additional tools to deploy and apply updates can delay the installation of Windows patches and thus lead to a less secure deployment. The Mago Room app is deployed using the Mago Admin management console (VMC) https://admin.mago.io
Mago Room devices work with most 802.1X or other network-based security protocols. However, we’re not able to test Mago Room against all possible network security configurations. Therefore, if performance issues arise that can be traced to network performance issues, you may need to disable these protocols if they’re configured in your organisation.
For optimum performance of real time media, we strongly recommend that you configure VC media traffic to bypass proxy servers and other network security devices. Real time media is very latency sensitive and proxy servers and network security devices can significantly degrade users’ video and audio quality. Also, because VC media is already encrypted, there’s no tangible benefit from passing the traffic through a proxy server.
Mago Room doesn’t support authenticated proxy servers.
Mago Room devices don’t need to connect to an internal LAN. Consider placing Mago Room in a secure network segment with direct Internet access. If your internal LAN becomes compromised, the attack vector opportunities towards Mago Room will be reduced.
We strongly recommend that you connect your Mago Room devices to a wired network. The use of wireless networks on Mago Room devices isn’t recommended or certified. Some connectivity features, such as Wi-Fi Sense, are disabled by default.
QR code Proximity Join and other Mago Room features rely on TCP/UDP and Bluetooth. However, the Bluetooth implementation on Mago Room devices doesn’t allow for an external device connection to a Mago Room device. Bluetooth technology used on Mago Room devices is currently limited to advertising beacons and prompted proximal connections. The ADV_NONCONN_ INT
protocol data unit (PDU) type is used in the advertising beacon. This PDU type is for non- connectable devices advertising information to the listening device. There is no Bluetooth device pairing as part of these features. Additional details on Bluetooth protocols can be found on the Bluetooth SIG website.
Last updated