Management Server

Adjust the token time-out

XProtect VMS uses session tokens when it logs in to the management server using SSL (basic users) or NTLM (Windows users) protocols. A token is retrieved from the management server and used on the secondary servers, for example the recording server and sometimes also the event server. This is to avoid that NTLM and AD lookup is performed on every server component.

By default, a token is valid for 240 minutes. You can adjust this down to 1 minute intervals. This value can also be adjusted over time. Short intervals increase security, however, the system generates additional communication when it renews the token.

The best interval to use depends on the deployment. This communication increases the system load and can impact performance.

Learn more

The following control(s) provide additional guidance:

  • NIST SP 800-53 IA-5 Authenticator Management

Enable only the ports used by the management server

Milestone recommends that you enable only the ports used by the management server, and that you block all other ports, including the default Windows ports. This guidance is consistent for the server components of XProtect VMS.

The management server ports used in XProtectVMS are: 80, 443, 1433, 7475, 8080, 9000, 12345.

The ports used depend on the deployment. If in doubt, contact Milestone Support.

Learn more

The following control(s) provide additional guidance:

  • NIST SP 800-53 AC-2 Account Management
  • NIST SP 800-53 SC-7 Boundary Protection

Disable non-secure protocols

When a basic user logs in to the management server through IIS, the Management Client will use any protocol available. Milestone recommends that you always implement the latest version of the Transport Layer Security (TLS, currently 1.2) (https://datatracker.ietf.org/wg/tls/charter/), and disable all improper cipher suites and obsolete versions of TLS/SSL protocols. Perform actions to block non-secure protocols at the OS level. This prevents the Management Client from using protocols that are not secure. The OS determines the protocol to use.

The protocols used depend on the deployment. If in doubt, contact Milestone Support.

Learn more

The following control(s) provide additional guidance:

  • NIST 800-53 AC-17 Remote Access (Disable Unused Protocols)
  • NIST 800-53 CM-6 Configuration Settings
  • NIST 800-53 CM-7 Least Functionality

Disable legacy remoting channel

Before XProtect VMS 2023 R1

Communication between the recording servers and the management server became more secure with the solution implemented in 2019 R2. If you upgrade from a previous XProtect VMS release, the management server still starts the legacy 3rd party technology to be able to communicate with recording servers on older releases.

When all recording servers in your system are upgraded to version 2019 R2 or later, you can set UseRemoting to False in the management server configuration file.

The UseRemoting option prevents starting the legacy remoting channel and setting this option after all recording servers are upgraded makes the XProtect VMS less vulnerable.

From XProtect VMS 2023 R1

When upgrading to 2023 R1, it is not possible to remote to legacy 3rd party technology to communicate with recording servers on older releases.

If you upgrade from a version 2019 R1 or earlier to 2023 R1, both the management server and the recording server must be upgraded before the communication between the recording server and the management server can be established.

Also, from 2023 R1, the option to set UseRemoting to False in the management server configuration file is not applicable.

Learn more

The following control(s) provide additional guidance:

  • NIST 800-53 AC-17 Remote Access (Disable Unused Protocols)
  • NIST 800-53 CM-6 Configuration Settings

Manage IIS header information

Disable IIS header information

For security purposes, Milestone recommends that you disable the X-Powered-By HTTP and X-AspNet-Version headers.

The HTTP header X-Powered-By reveals the version of IIS being used on the server. Disable this header by doing the following:

  1. Open the IIS Manager.
  2. Select the Default website.
  3. Select HTTP Response Headers.
  4. Select the X-Powered-By HTTP header and select Remove.

The HTTP header X-AspNet-Version reveals the version of ASP.NET being used by the Management Server application pool. Disable this header by doing the following:

  1. Open the web.config file located in %windir%\Microsoft.NET\Framework\v4.0.30319\CONFIG.
  2. After the <system.web> tag, add this: <httpRuntime enableVersionHeader="false" />
  3. Save the file.

The SERVER header variable should not be removed, because it will cause functionality within Management Server to break.

Set X-Frame Options

For security purposes, Milestone recommends that you set the X-Frame-Options to deny.

When you set the HTTP header X-Frame-Options to deny, this disables the loading of the page in a frame, regardless of what site is trying to gain access.

Change this header by doing the following:

  1. Open the IIS Manager.
  2. Select the Default website > Installation.
  3. Select HTTP Response Headers.
  4. Right-click and select Add from the menu.
  5. In the Name field write X-Frame-Options, and in the Value field write deny.

Disable IIS HTTP TRACE / TRACK verbs

For security purposes, Milestone recommends that you disable the HTTP TRACE verb in your IIS installation. Disable the HTTP TRACE verb by doing the following:

  1. Open the IIS manager.
  2. Select the Default website.
  3. Double-click Request filtering.

    If Request filtering is not available, install it by following the instructions here: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/

  4. Select the HTTP Verbs tab.
  5. Select Deny Verb from the Actions menu.
  6. Type TRACE and click OK.
  7. Select Deny Verb from the Actions menu.
  8. Type TRACK and click OK.
  9. Select Deny Verb from the Options menu.
  10. Type OPTIONS and click OK.

Disable the IIS Default Page

For security purposes, Milestone recommends that you disable the IIS Default Page. By doing this, you remove information that could be used to discover what technologies are used in your installation, and you align with IIS Best Practices as defined by Microsoft. Disable the default page by doing the following:

  1. Open the IIS manager.
  2. Select the Default website.
  3. Double-click Default Document.
  4. Select Disable in the Actions menu.