Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Media Server / June 2004

Tip: Looking for answers? Try searching our database.

Securing the media server

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jon Suyo - 18 Jun 2004 20:50 GMT
OK - 3 seperate questions based upon the following setup.
A windows 2003 enterprise server running only winmed services.  I plan to have on-demand content and live webcasts that should be accessible to the world.  The server sits on its on workgroup and the winmed encoder (just for the live webcasts) sits on a corporate domain.  The encoder and the server have no rights in each others domain/workgroups:

1) Is there a benefit to using the built in account "Network Service" as opposed to an account I create?  
2) I use an account on the server that I created and use that account for anonymous authentication.  That account has Read-Only rights on the publishing point's source directory.  I then use the NTFS ACL authorization plug-in.  Is that as secure as I can get it? (can't use WMS Negotiate Authentication since these feeds need to be access by anyone - anywhere).
3) We'd like to push a webcast so that the encoder controls the feed/stream.  Since the encoder sits on one domain and the server on a totally unrelated workgroup, how do I allow the encoder to connect and push the feed? I only get access denied.  The WMS Publishing Points ACL is configured, but I never get prompted for a user/pass

Thanks in advance for your time & help.
Reply to this Message
Ravi Raman - 19 Jun 2004 21:42 GMT
1. Mostly that all the resources that WMServer uses has
the appropriate ACLs to permit NetworkService. And in a
domain setup, NetworkService will impersonate the
computer account when accessing other resources in the
domain which can be useful in some cases. You can change
it to an account of your liking, but you will need to fix
all the ACLs so that this account has read access ( say
to registry keys, files etc.). Network Service account
has fairly low privileges compared to Administrator or
Power User account, so I don't see a reason why you want
to create a custom account.
2. I am not sure what other kind of security you are
expecting. Can you be more specific?
3. Do you have WMS Negotiate disabled? When you push
anonymous authentication is tried. The publishing points
ACL plug-in allows "Write/create" access only to Admin
users. So, since anonymous users are not allowed, access
is denied. The server would then attempt to use negotiate
to authenticate you after that. If you give the admin
password of the server machine with Negotiate, that
should enable you to push (Alternatively, if you don't
want to use Admin account you can create a new push
account, give that account create/write acces on "WMS
PUblishing Points ACL Authorization" and then provide
this account credentials when prompted on the encoder).

Hope this helps.
Ravi
-
This posting is provided "AS IS" with no warranties, and
confers no rights.

>-----Original Message-----
>OK - 3 seperate questions based upon the following setup.
>A windows 2003 enterprise server running only winmed services.  I plan to have on-demand content and live
webcasts that should be accessible to the world.  The
server sits on its on workgroup and the winmed encoder
(just for the live webcasts) sits on a corporate domain.  
The encoder and the server have no rights in each others
domain/workgroups:

>1) Is there a benefit to using the built in account "Network Service" as opposed to an account I
create?  
>2) I use an account on the server that I created and use that account for anonymous authentication.  That account
has Read-Only rights on the publishing point's source
directory.  I then use the NTFS ACL authorization plug-
in.  Is that as secure as I can get it? (can't use WMS
Negotiate Authentication since these feeds need to be
access by anyone - anywhere).
>3) We'd like to push a webcast so that the encoder controls the feed/stream.  Since the encoder sits on one
domain and the server on a totally unrelated workgroup,
how do I allow the encoder to connect and push the feed?
I only get access denied.  The WMS Publishing Points ACL
is configured, but I never get prompted for a user/pass

>Thanks in advance for your time & help.
>.
Reply to this Message
jsuyo - 20 Jun 2004 09:33 GMT
1. OK - i guess i'll switch back to NetworkService
2. I am simply trying to lock down the server as much as possible.  I assumed that If I used anon authentication and give only READ rights to that account, i'd be as secure as it gets.
3. By using WMS Negotiate, wouldn't clients also get prompted to authenticate?
I don't want unauthorized users to be able to create a broadcast (obviously) but at the same time, I want any user to be able to view the broadcast.

PS
Thank you for responding!

> 1. Mostly that all the resources that WMServer uses has
> the appropriate ACLs to permit NetworkService. And in a
[quoted text clipped - 57 lines]
> >Thanks in advance for your time & help.
> >.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.