Valarea Room Security

Valarea Room was designed to be appliance-like, ensuring a consistent, “walk-up” user experience without sacrificing security. Re Mago works with our partners to deliver a solution that is secure and doesn’t require additional actions to secure Valarea Room System. This article discusses many of the security features found in Valarea Room.
  • Valarea Room System should not be treated like a typical end-user workstation. Not only are the use cases vastly different, but the default security profiles are also different. This section applies to Valarea Room System devices running on Windows.
  • Limited end-user data is stored on Valarea Room. End-user data may be stored in the log files for troubleshooting and support only. At no point can an attendee of a meeting using Valarea Room copy files to the hard drive or sign in as themselves. No end-user data is transferred to, or accessible by, the Valarea Room device.
  • Even though end users can’t put files on a Valarea Room hard drive, Microsoft Defender is still enabled. Valarea Room performance is tested with Microsoft Defender. Disabling this or adding endpoint security software can lead to unpredictable results and potential system degradation.

Hardware Security

In a Valarea Room environment, there’s a central compute module that runs Windows 10 IoT Ent or Pro editions. Every certified compute module must have a secure mounting solution, a security lock slot (for example, Kensington lock), and I/O port access security measures to prevent the connection of unauthorised devices. You can also disable specific ports via Unified Extensible Firmware Interface (UEFI) configuration.
Every certified compute module must ship with Trusted Platform Module (TPM) 2.0 compliant technology enabled by default. TPM is used to encrypt the login information for the Valarea Room resource account. Secure boot is enabled by default.
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. For more information, see Secure boot. Access to UEFI settings is only possible through attaching a physical keyboard and mouse. This prevents being able to access UEFI via the Valarea Room touch-enabled console as well as any other touch-enabled displays attached to Valarea Room.
Kernel Direct Memory Access (DMA) Protection is a Windows 10 setting that is enabled on Valarea Room. With this feature, the OS and the system firmware protect the system against malicious and unintended DMA attacks for all DMA-capable devices:
  • During the boot process
  • Against malicious DMA by devices connected to easily accessible internal/external DMA-capable ports, such as M.2 PCIe slots and Thunderbolt 3, during OS runtime
Valarea Room also enables Hypervisor-protected code integrity (HVCI). One of the features provided by HVCI is Credential Guard. Credential Guard provides the following benefits:
  • Hardware Security
    NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualisation, to protect credentials
  • Virtualisation-based Security
    Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
  • Better Protection against Advanced Persistent Threats
    When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualisation-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can’t extract secrets that are protected by virtualisation-based security.

Software Security

After Microsoft Windows boots, Valarea Room automatically signs into a local Windows user account named Valarea. The Valarea account has no password. To make the Valarea account session secure, the following steps are taken.
Don’t change the password or edit the local Valarea user account. Doing so can prevent Valarea Room from automatically signing in.
For Valarea Room to be used in communal spaces such as meeting rooms, its custom OS implements many of the security and lockdown features available in Windows 10. Valarea Room supports these Windows 10 security features:
  • UEFI Secure Boot
  • BitLocker Drive Encryption
  • Trusted Platform Module (TPM)
  • Windows Defender
  • User Account Control (UAC) for access to the Valarea Room Settings
Kiosk Mode
The Valarea Room System runs using the less privilege feature that limits the application entry points exposed to the user. This is what enables app launcher kiosk mode. Using standard windows shell UI suppression, Valarea Room is configured as a kiosk device that runs a Windows desktop application as the user interface.
Enabling Kiosk Mode in Valarea Settings, the traditional Explorer shell does not get launched at all. This greatly reduces the Valarea Room vulnerability surface within Windows. Additionally, lock down policies are applied to limit non-administrative features from being used. A keyboard filter is enabled to intercept and block potentially insecure keyboard combinations that aren’t covered by security enforced policies. Only users with local or domain administrative rights are permitted to sign into Windows to manage Valarea Room. These and other policies applied to Windows on Valarea Room devices are continually assessed and tested during the product lifecycle.
Session Security and Data Safety
During a meeting session, users have access to a limited set of directories on Valarea Room:
  • Meetings (secure cache available only during live sessions)
  • My Documents (optional)
Files saved locally in these directories are deleted when users end the session (e.g. by pressing “End session” or disconnecting the personal device if on BYOD). To save content created during a session, users should save files to a USB drive, a connected personal Cloud drive or using the “send by email” feature.
Post working session, data is wiped from the system to protect sensitive information. Next user or group gets a clean slate to work from.

Account Security

Valarea Room devices include an administrative account named “Admin” with a default password. We strongly recommend that you change the default password as soon as possible after you complete setup.
If you delete or disable the Admin account before granting local Administrator permissions to another local or domain account, you may lose the ability to administer and configure the Valarea Room device. If this happens, you’ll need to reset the device back to its original settings and complete the setup process again. Do not grant local Administrator permissions to the Valarea user account.

Network Security

Generally, Valarea Room has the same network requirements as any VC client installed on a standard desktop PC. Access through firewalls and other security devices is the same for Valarea Room as for any other VC client (i.e. Zoom, Google Meet, Microsoft Teams Desktop, Cisco Webex). Valarea Room also needs access to Windows Update, and Microsoft Intune (if you use Microsoft Intune to manage your devices). For the full list of IPs and URLs required for Valarea Room VC systems, see:
Microsoft Teams
Google Meet
​Google Meet ports​
Cisco Webex
Windows Update
​Configure WSUS​
Microsoft Intune
We strongly recommend to configure to automatically Windows updates policies, including security updates (i.e. every day beginning at 2:00am. There is no need to use additional tools to deploy and apply Windows Updates. Using additional tools to deploy and apply updates can delay the installation of Windows patches and thus lead to a less secure deployment. The Valarea Room app is deployed using the Valarea Admin management console (VMC)
Valarea Room devices work with most 802.1X or other network-based security protocols. However, we’re not able to test Valarea Room against all possible network security configurations. Therefore, if performance issues arise that can be traced to network performance issues, you may need to disable these protocols if they’re configured in your organisation.
For optimum performance of real time media, we strongly recommend that you configure VC media traffic to bypass proxy servers and other network security devices. Real time media is very latency sensitive and proxy servers and network security devices can significantly degrade users’ video and audio quality. Also, because VC media is already encrypted, there’s no tangible benefit from passing the traffic through a proxy server.
Valarea Room doesn’t support authenticated proxy servers.
Valarea Room devices don’t need to connect to an internal LAN. Consider placing Valarea Room in a secure network segment with direct Internet access. If your internal LAN becomes compromised, the attack vector opportunities towards Valarea Room will be reduced.
We strongly recommend that you connect your Valarea Room devices to a wired network. The use of wireless networks on Valarea Room devices isn’t recommended or certified. Some connectivity features, such as Wi-Fi Sense, are disabled by default.
QR code Proximity Join and other Valarea Room features rely on TCP/UDP and Bluetooth. However, the Bluetooth implementation on Valarea Room devices doesn’t allow for an external device connection to a Valarea Room device. Bluetooth technology used on Valarea Room devices is currently limited to advertising beacons and prompted proximal connections. The ADV_NONCONN_ INT protocol data unit (PDU) type is used in the advertising beacon. This PDU type is for non- connectable devices advertising information to the listening device. There is no Bluetooth device pairing as part of these features. Additional details on Bluetooth protocols can be found on the Bluetooth SIG website.