Connection to the SQL Server and database

Communication between the Milestone XProtect VMS and the SQL Server and database can potentially be tampered by an attacker because the certificate is not validated.

To mitigate this, you must first set up verifiable server certificates. After the certificates are set up, you must modify the ConnestionString in the Windows registry by removing trustServerCertificate=true, as follows:

Registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\Common\ConnectionString

• Current

  connection string: Data Source=localhost;initial catalog='Surveillance';Integrated Security=SSPI;encrypt=true;trustServerCertificate=true

• Hardened

  connection string: Data Source=localhost;initial catalog='Surveillance';Integrated Security=SSPI;encrypt=true

This results in encryption occurring only if there is a verifiable server certificate, otherwise the connection attempt fails.

This issue is described in detail in the article Using Encryption Without Validation.