Advanced steps – Milestone servers
Run services with service accounts
Milestone recommends that you create service accounts for services related to XProtect VMS, instead of using a regular user account. Set up the service accounts as domain users, and only give them the permissions required to run the relevant services. See Kerberos authentication (explained). For example, the service account should not be able to log on to the Windows desktop.
Learn more
The following control(s) provide additional guidance:
- NIST 800-53 AC-5 Separation of Duties
- NIST 800-53 AC-6 Least Privilege
Run components on dedicated virtual or physical servers
Milestone recommends that you run the components of XProtect VMS only on dedicated virtual or physical servers without any other software or services installed.
Learn more
The following control(s) provide additional guidance:
- NIST 800-53 CM-9 Configuration Management Plan
Restrict the use of removable media on computers and servers
Milestone recommends that you restrict the use of removable media, for example USB keys, SD cards, and smartphones on computers and servers where components of XProtect VMS are installed. This helps prevent malware from entering the network. For example, allow only authorized users to connect removable media when you need to transfer video evidence.
Learn more
The following control(s) provide additional guidance:
- NIST 800-53 MP-7 Media Use
Use individual administrator accounts for better auditing
As opposed to shared administrator accounts, Milestone recommends using individual accounts for administrators. This lets you track who does what in XProtect VMS. This helps prevent malware from entering the network. You can then use an authoritative directory such as Active Directory to manage the administrator accounts.
You assign administrator accounts to roles in Management Client under Roles.
Learn more
The following control(s) provide additional guidance:
- NIST 800-53 AC-5 Separation of Duties
- NIST 800-53 CM-9 Configuration Management Plan
Use subnets or VLANs to limit server access
Milestone recommends that you logically group different types of hosts and users into separate subnets. This can have benefits in managing privileges for these hosts and users as members of a group with a given function or role. Design the network so that there is a subnet or VLAN for each function. For example, one subnet or VLAN for surveillance operators and one for administrators. This allows you to define firewall rules by group instead of for individual hosts.
Learn more
The following control(s) provide additional guidance:
- NIST SP 800-53 AC-2 Account Management
- NIST SP 800-53 CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- NIST SP 800-53 SC-7 Boundary Protection
Enable only the ports used by Event Server
Milestone recommends that you enable only the ports used by event server, and block all other ports, including the default Windows ports.
The event server ports used in XProtect VMS are: 22331, 22333, 9090, 1234, and 1235.
The ports used depend on the deployment. If in doubt, contact Milestone Support.
Learn more
The following control(s) provide additional guidance:
- NIST SP 800-53 CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches