Screenly Hardening Guide

A guide to how to harden your Screenly deployment

At Screenly, we believe that the onus is on us to make things as secure as possible. A lot of this can be highlighted on our Security page.

However, there are some things we cannot do on behalf of our customers that we recommend our users do in order to optimize their security profile.

Dashboard Hardening

Use Multi-Factor Authentication (MFA)

Screenly supports MFA in a few ways. Many users use Single Sign-On (SSO) to authenticate to Screenly. In that case, the MFA policy is configured in the authentication provider.

In the case where you are not using SSO, we strongly recommend that you turn on 2FA in your user settings.

Practice Principle of Least Privilege

The Principle of Least Privilege (PoLP) is a security concept that mandates giving users, applications, and systems the minimum level of access—or privileges—necessary to perform their tasks.

This is a principle we use internally at Screenly, but we also recommend our users use this concept when assigning permissions to their users.

Leverage Teams as a Security Boundary

In Screenly, you can be a member of one or more teams. A screen is a property of a given team. It is recommended that you leverage this feature as a security boundary. For instance, if you have five locations each with 10 different screens, it is recommended that you grant access to users based on what they need access to.

Use Shared Playlists for Extra Hardening

Screenly allows you to share playlists across teams. While there are many use cases for this feature, one way it might be useful is as a security boundary.

For instance, you can create a dedicated team that has all your sharable assets and only grant selected users access to this team. Any user with appropriate access can schedule this playlist once it has been shared, but they cannot make changes to it.

Device Hardening

VLAN Isolation

While we adhere to the Zero Trust philosophy and assume our devices are deployed in a hostile environment, isolating your digital signage players onto a dedicated VLAN that can only communicate outwards to the internet is a good idea regardless.

While we have trust in our security model, adding an extra layer of security will not hurt.

Enable BIOS Password

If you are using our Screenly Player Max, we recommend that you enable a BIOS password to prevent a malicious actor from accessing the BIOS to make changes.

Only Allow Boot from the Hard Drive

If you have enabled a BIOS password, an additional step you might want to take is to lock down the boot order to only allow booting from the internal hard drive. This prevents a malicious actor from booting from, say, a USB drive to access the system.

Note that this step is moot unless you also enable a BIOS password.

Display your best content with Screenly digital signs.

Screenly is loaded with features to make digital signage management easy.

Start Free Trial
footer screen image
manage cookies