XProtect Mobile Server

Only enable ports that Mobile Server uses

Milestone recommends that you enable only the ports that Mobile Server uses, and block all other ports, including the default Windows ports.

By default, the XProtect Mobile Server uses ports 8081 and 8082.

The ports used depend on the deployment. If in doubt, contact Milestone Support.

Learn more

The following control(s) provide additional guidance:

NIST SP 800-53 AC-2 Account Management
NIST SP 800-53 SC-7 Boundary Protection

Use a "demilitarized zone" (DMZ) to provide external access

Milestone recommends that you install Mobile Server in a DMZ, and on a computer with two network interfaces:

One for internal communication
One for public Internet access

This allows mobile client users to connect to Mobile Server with a public IP address, without compromising the security or availability of the VMS network.

Learn more

The following control(s) provide additional guidance:

NIST SP 800-53 SC-7 Boundary Protection

Disable non-secure protocols

Milestone recommends that you use only the necessary protocols, and only the latest versions. For example, implement the latest version of the Transport Layer Security (TLS, currently 1.2) and disable all other cipher suites and obsolete versions of TLS/SSL protocols. This requires configuration of Windows and other system components, and the proper use of digital certificates and keys.

The same recommendation is given for the Management Server. For more information, see Disable non-secure protocols.

Learn more

The following control(s) provide additional guidance:

NIST 800-53 AC-17 Remote Access (Disable Unused Protocols)
NIST 800-53 CM-6 Configuration Settings
NIST 800-53 CM-7 Least Functionality

Set up users for two-step verification via email

Available functionality depends on the system you are using. See the complete feature list, which is available on the product overview page on the Milestone website (https://www.milestonesys.com/products/software/xprotect-comparison/).

To impose an additional login step on users of the XProtect Mobile client or XProtect Web Client, set up two-step verification on the Mobile Server. In addition to the standard user name and password, the user must enter a verification code received by email.

Two-step verification increases the protection level of your surveillance system.

Requirements

You have installed an SMTP server.
You have added users and groups to your XProtect system in the Management Client on the Roles node in the Site Navigation pane. On the relevant role, select the Users and Groups tab.
If you upgraded your system from a previous version of XProtect, you must restart the Mobile Server to enable the two-step verification feature.

In the Management Client, perform these steps:

Enter information about your SMTP server.
Specify the settings for the verification code that will be sent to the client users.
Assign login method to users and domain groups.

This topic describes each of these steps.

Enter information about your SMTP server

The provider uses the information about the SMTP server:

In the navigation pane, select Mobile Servers, and select the relevant Mobile Server.
On the Two-step verification tab, select the Enable two-step verification check box.
Below Provider settings, on the Email tab, enter information about your SMTP server and specify the email that the system will send to client users when they log in and are set up for a secondary login. For details about each parameter, see Two-step verification tab.

Specify the verification code that will be sent to the users

To specify the complexity of the verification code:

On the Two-step verification tab, in the Verification code settings section, specify the period within which XProtect Mobile client or XProtect Web Client users, do not have to reverify its login in case of, for example, a disconnected network. Default period is 3 minutes.Specify the period within which the user can use the received verification code. After this period, the code is invalid and the user has to request for a new code. Default period is 5 minutes.Specify the maximum number of code entry attempts, before the user will be blocked. Default number is 3.
Specify the number of characters for the code. Default length is 6.
Specify the complexity of the code that you want the system to compose.

Assign login method to users and Active Directory groups

On the Two-step verification tab, in the User settings section, the list of users and groups added to your XProtect system appears.

In the Login method column, select between no login, no two-step verification, or delivery method of codes.
In the Details field, add the delivery details such as email addresses of individual users. Next time the user logs into the XProtect Mobile client or the XProtect Web Client, he or she is asked for a secondary login.
If a group is configured in Active Directory, the Mobile Server uses details, such as email addresses, from Active Directory.
Windows groups do not support two-step verification.
Save your configuration.

You have completed the steps for setting up your users for two-step verification via email.

Two-step verification tab

Use the Two-step verification tab to enable and specify an additional login step on users of:

XProtect Mobile app on their iOS or Android mobile devices
XProtect Web Client

The first type of verification is a password. The second type is a verification code, which you can configure to be sent to the user via email.

For more information, see Set up users for two-step verification via email.

The following tables describe the settings on this tab.

Provider settings > Email

Name	Description
SMTP server	Enter the IP address or host name of the simple mail transfer protocol (SMTP) server for two-step verification emails.
SMTP server port	Specify the port of the SMTP server for sending emails. Default port number is 25 without SSL and 465 with SSL.
Use SSL	Select this check box if your SMTP server supports SSL encryption.
User name	Specify the user name for logging in to the SMTP server.
Password	Specify the password for logging in to the SMTP server.
Use Secure Password Authentication (SPA)	Select this check box if your SMTP server supports SPA.
Sender's email address	Specify the email address for sending verification codes.
Email subject	Specify the subject title for the email. Example: Your two-step verification code.
Email text	Enter the message you want to send. Example: Your code is {0}. If you forget to include the {0} variable, the code is added at the end of the text by default.

Verification code settings

Name	Description
Reconnection timeout (0-30 minutes)	Specify the period within which XProtect Mobile client users do not have to reverify their login in case of, for example, a disconnected network. The default period is three minutes. This setting does not apply to XProtect Web Client.
Code expires after (1-10 minutes)	Specify the period within which the user can use the received verification code. After this period, the code is invalid and the user has to request for a new code. The default period is five minutes.
Code entry attempts (1-10 attempts)	Specify the maximum number of code entry attempts before the provided code becomes invalid. The default number is three.
Code length (4-6 characters)	Specify the number of characters for the code. The default length is six.
Code composition	Specify the complexity of the code that you want the system to generate. You can select among: Latin uppercase (A-Z) Latin lowercase(a-z) Digits (0-9) Special characters (!@#...)

User settings

Name	Description
Users and groups	Lists the users and groups added to the XProtect system. If a group is configured in Active Directory, the Mobile Server uses details, such as email addresses, from Active Directory. Windows groups do not support two-step verification.
Verification method	Select a verification setting for each user or group. You can select among: No login: the user cannot log in No two-step verification: the user must enter user name and password Email: the user must enter a verification code in addition to user name and password
User details	Enter the email address to which each user will receive codes.

Name

Description

Users and groups

Lists the users and groups added to the XProtect system.

If a group is configured in Active Directory, the Mobile Server uses details, such as email addresses, from Active Directory.

Windows groups do not support two-step verification.

Verification method

Select a verification setting for each user or group. You can select among:

No login: the user cannot log in
No two-step verification: the user must enter user name and password
Email: the user must enter a verification code in addition to user name and password

User details

Enter the email address to which each user will receive codes.

Configure the Content Security Policy (CSP)

WebSockets with wildcards should be removed from the CSP headers on the Mobile Server.

Currently the ws://*:* and wss://*:* cannot be removed from the CSP described in Mobile Server configuration due to Safari browser limitations.

To increase the security on your Mobile Server, do the following:

Open the VideoOS.MobileServer.Service.exe.config file, which is located in the installation folder of the Mobile Server.
Modify the <HttpHeaders> section, where the value of key="Content-Security-Policy" as follows:
- If Safari browser support is not needed, remove ws://*:* and wss://*:* from the header.
- If Safari browser support is required, replace ws://*:* and wss://*:* with relevant ‘ws://[hostname]:[port] and wss://[hostname]:[port]’ values, where hostname and port are the relevant ones used for accessing the Mobile Server.
Restart the Mobile Server.