Securing XProtect VMS media databases

Permissions

Access to live and recorded audio, video, and metadata through the recording server’s APIs, for instance when using the XProtect VMS product clients or MIP SDK, is protected by user authentication and security permissions set for the users.

To protect the media database files on the recording server disk or NAS/file share from unauthorized direct access, it is recommended to ensure that only IT administrators and/or XProtect VMS administrators have login permissions to the server running the recording server. Furthermore, if the recording server archives recordings to a NAS/file share, it is also recommended to configure security and permissions control for accessing the NAS/file share where the media database is stored. This ensures that only the recording server can access the files and not any user with access to the network.

When enabling security on a NAS/file share, the recording server service must be changed from running under the ‘Network Service' account to running under a Windows Domain or Workgroup account. The account the recording server service is set to run under must then be granted rights to access the NAS/file share holding the media database.

The account to run the recording server service under is set via the Microsoft Windows ‘Services’ dialog.

Select ‘Properties’ for ‘Milestone XProtect Recording Server’ in Windows Services

‘Log On’ settings in Service Properties

Open the ‘Services‘ dialog in Microsoft Windows, find the ‘Milestone XProtect Recording Server‘ service in the list. Right-click and select the ‘Properties’ option. In the shown dialog, select ‘Log On’, then ‘This account:’ and enter user credentials for a user with access to the file share.

Media database encryption

In extension to protecting access to the server running the recording server and protection access to the NAS/file shares, it is also possible to add a layer of security on the media database itself by enabling the media database to encrypt the files stored on the disk.

It is important to document and keep the password in a safe place as it may be needed later in case the settings must be changed or if the media databases need to be opened and read directly by the ‘XProtect Smart Client – Player’. This could, for example, be to view the recordings in a backup or a copy of the media database.

The encryption standard used for both the ‘Light’ and ‘Strong’ options are AES-256. The difference between the two encryption options lies in the amount of data that is encrypted.

Light encryption

Light encryption only encrypts a smaller section in the beginning of each record (a JPEG image, a video GOP, an audio segment, or a metadata file) stored in the media database. Without access to this initial section of the record, it is impossible or at least extremely difficult to decode/understand the remaining data in the record
Because only a small part of the record is encrypted, it requires less processing power to encrypt the record

Strong encryption

Strong encryption encrypts the entire record stored in the media database
Because all data in the record is encrypted, it requires more processing power to encrypt the record

Note: Media database encryption is only available in XProtect Expert and XProtect Corporate.

Media database signing

In addition to protecting the recordings with permission settings and encryption, it is also possible to add a digital signature to the media database. With a digital signature added to the media database it is possible to check and verify that the original media database files on the recording server disk or NAS/file share have not been tampered with.

When exporting media using the XProtect Smart Client and the XProtect format, it is possible to include the original digital signature as well as to add a second signature during the export. When this export is viewed in the ‘XProtect Smart Client – Player’, the digital signatures can be verified to check that the original recordings and exported data have not been tampered with.

Note: Media database signing during recording is only available in XProtect Expert and XProtect Corporate. The option to add a signature during an export is available in all XProtect VMS products.