Basic steps – Devices

Use strong passwords instead of default passwords

Milestone recommends that you change the default passwords on devices, for example, on a camera. Do not use default passwords because they are often published to the Internet and are readily available.

Instead, use strong passwords for devices. Strong passwords include eight or more alpha-numeric characters, use upper and lower cases, and special characters.

Learn more

The following control(s) provide additional guidance:

  • NIST 800-53 IA-4 Authenticator Management
  • NIST 800-53 IA-8 Authenticator Feedback
  • NIST 800-53 SI-11 Error Handling

Stop unused services and protocols

To help avoid unauthorized access or information disclosure, Milestone recommends that you stop unused services and protocols on devices. For example, Telnet, SSH, FTP, UPnP, Ipv6, and Bonjour.

It is also important to use strong authentication on any services that access the VMS, network, or devices. For example, use SSH keys instead of user names and passwords, and use certificates from a Certificate Authority for HTTPS. For more information, see the hardening guides and other guidance from the device manufacturer.

Learn more

The following control(s) provide additional guidance:

  • NIST SP 800-53 AC-17 Remote Access (Disable Unused Protocols)
  • NIST SP 800-53 CM-6 Configuration Settings
  • NIST SP 800-53 CM-7 Least Functionality
  • NIST SP 800-53 IA-2 Identification and Authentication
  • NIST SP 800-53 SA-9 External Information Services

Create dedicated user accounts on each device

All cameras have a default user account with a user name and password that the VMS uses to access the device. For auditing purposes, Milestone recommends that you change the default user name and password.

Create a user account specifically for use by the VMS, and use this user account and password when you add the camera to the VMS. When a recording server connects to the camera, it uses the user name and password you have created. If the camera has a log, this log shows that the recording server has connected to the camera.

With a dedicated user name and password, the device logs can help you determine whether a recording server or a person accessed the camera. This is relevant when investigating potential security issues affecting devices.

You can change the user name and password for a device before or after you add it in Management Client.

To change the user name and password before you add the device, follow these steps:

  1. Go to the device’s web interface, and change the default user name and password.
  2. In Management Client, add the device, and specify the user name and password.

To change the user name and passwords of devices that are already added, follow these steps:

  1. In Management Client, in the Site Navigation pane, expand the Servers node and select Recording Servers.
  2. In the Recording Server pane, expand the recording server that contains the device, and then right-click the device and select Edit hardware.

  3. Under Authentication, enter the new user name and password.

Learn more

The following control(s) provide additional guidance:

  • NIST SP 800-53 AC-2 Account Management
  • NIST SP 800-53 AC-4 Least Privilege

Scanning for devices

Scanning for devices (for example, Express scan or Address range scanning when adding hardware) is done using broadcasts that may contain user names and passwords in plain text.

Unless this is an initial setup, this functionality should not be used for adding devices to the system. Use the Manual option instead and manually select the driver.