Microsoft Windows Media Resource Kit (Pro-Resource Kit)

Test #4: Security

Before any server is deployed on their corporate network, Fabrikam technicians make sure security features have been properly configured to protect the server and the content contained on it. The security features provided by Windows Server 2003 and Windows Media Services cover the following areas:

• Computer security. If the computer is not secure, Windows Media Services will not be secure. Read the Windows Server 2003 Help, and then use the documented security features and methods to make sure that the data and software on the computer are as safe as possible.

• Content security. Authentication and authorization plug-ins can be enabled on Windows Media servers to restrict viewing of sensitive content. You can customize restrictions for individual files, groups of files in publishing points, live streams, and playlists. For example, Fabrikam could host sensitive marketing material on a publishing point that was restricted to certain individuals or groups, and host unrestricted, public material on a general publishing point. Another publishing point could carry a restricted live unicast stream of a crucial meeting with a new client. Another way to secure content is to use Windows Media Rights Manager. This method adds encryption to the digital media itself. For more information, see chapter 13.

• Windows Media Services Administrator for the Web security. This tool provides an easy and versatile way to administer Windows Media servers in situations where the MMC snap-in cannot be used. You can administer one or more Windows Media servers by using a browser to connect over an intranet to this administration Web site. To ensure that the server is administered only by those who have permission, set up security for the administration Web site on your computer.

In this test, Fabrikam technicians secure content on the default publishing point by adding and configuring authentication and authorization, and then attempting to access the content as an authenticated user and as an unauthenticated user.

Publishing point security checks users two ways before they are given access to secure content. The first check is authentication, which compares the user name against a password. The second check is authorization, which compares the authenticated user name against a list of users who have permission to access the content. Windows Media Services plug-ins provide the following methods of authenticating and authorizing users:

• WMS Anonymous User Authentication. Enables unauthenticated users to access content without being prompted for a user name or password.

• WMS Negotiate Authentication. Uses the Negotiate protocol to determine whether Kerberos or NTLM authentication is used. Both types of authentication use a challenge/response encrypted authentication mechanism.

• WMS Digest Authentication. Uses a challenge/response HTTP authentication protocol that does not require a password to be sent over a network. Instead, the plug-in uses a hashed version of a password to authenticate the user.

• WMS NTFS ACL Authorization. Enforces permissions that were set on files and directories in an NTFS file system when streaming from an on-demand publishing point.

• WMS IP Address Authorization. Enables you to allow or deny access to content for specific IP addresses.

• WMS Publishing Points ACL Authorization. Enables you to allow or deny specific users, servers, or groups to access content for all publishing points on a server or for a specific publishing point.

For testing purposes, Fabrikam use simple security methods that work on a closed LAN that does not have access to a domain server. The Negotiate plug-in relies upon established user logon credentials that are authenticated using NTLM or Kerberos authentication. In the closed LAN system, the user is known to all three computers, so the user can access secure content on the server by successfully logging on to the client.

A technician needs to configure the following security options on each server.

1. On the first server, select the default on-demand publishing point. Check the Source tab to make sure the test files created in test #1 are still there.

2. On the Properties tab, click Authentication, and then enable the WMS Negotiate Authentication plug-in.

3. Click Authorization, and enable the WMS Publishing Point ACL Authorization plug-in.

4. Open Properties for the publishing point to see the list. By default the Everyone group has read permission, and any administrator on the computer has full permission.

5. Remove the Everyone group. BUILTIN\Administrators should be the only group with access to the files on the publishing point.

The technician opens Windows Media Player on the client computer and attempts to access a file in the default publishing point. Because the technician is logged on as user Lan and is an administrator, the file plays with no challenge.

Now he creates a new user named NoConnect on the client computer, and then logs on as that user. When he attempts to play the file from this account, the technician will be required to enter a valid user name and password. After he has received authorization to play a file, he can play the file repeatedly without having to enter user name and password again—as long as he does not close the Player.

If the Fast Cache feature is enabled on the publishing point, clients can cache content as it is being streamed. You may notice that once you access and play a file, you do not have to enter login credentials again, even if you restart the Player. This is because the Player is streaming the content from its cache and not from the server. You can see whether the Player is streaming from the cache by checking the Advanced tab in the Statistics dialog box. The Protocol box will display CACHE. To prevent Players from caching, you can disable Fast Cache on the server. This option is in the General category on the Properties tab.

Performing security functions does add to the load on the server. If you anticipate many concurrent connections using authentication and authorization, you can create a test of this functionality by using Load Simulator. However, you will need to add a domain server that is set up to authenticate users on the closed LAN, because Load Simulator uses Digest authentication.

Before leaving the security test, the Fabrikam technician returns the default publishing point to its original configuration by adding the Everyone group with read-only access. In the next test, we will see how Fabrikam sets up and runs the sample broadcast playlist that is installed with Windows Media Services.