Configuring Security for Windows Media Services
As with other types of
network-accessible content, it is important to ensure that only
authorized users have access to streamed audio and video. Some
organizations provide content only to paid or registered users and want
to prevent others from using network bandwidth. Unauthorized individuals
must also be prevented from directly linking to content or downloading
and redistributing media files. Windows Media Services provides several
methods for securing Streaming Media Services. Default security settings
can be defined at the server level. These settings will apply
automatically to all publishing points on the server. However, you can
also override the settings for each individual publishing point. In this
section, you will learn about authentication, authorization, and
permissions settings that are available within the Properties tab of a
publishing point.
Configuring Authentication Options
By default, new
publishing points will inherit the security-related settings that are
defined at the server level. You can define specific settings for
different types of content by accessing the Authentication category on
the Properties tab of a publishing point. (See Figure 30.)
You can authenticate users
by one of three methods. WMS Anonymous User Authentication specifies
that Windows Media Services should not prompt users for credentials.
However, when this option is enabled, users will be able to access
content designated only to the user account that has NTFS file system
permissions. The default user account is the WMUS_servername
account, which is automatically created when you install the Streaming
Media Services server role. To change the account setting, double-click
the WMS Anonymous User Authentication plug-in and provide the
appropriate username and password. Anonymous authentication is useful
when you want all the users of the media server to have access to the
same set of content.
WMS
Negotiate Authentication uses either NTLM or Kerberos-based methods to
determine the identity of the incoming user. This method is useful if
you want to restrict access to users who have accounts on the local
server or within an Active Directory directory services domain. When
users attempt to access content, their Windows credentials will be used
to determine whether they have permission to access the requested files.
The WMS
Digest Authentication option is used primarily to support Internet
users. It relies on the HTTP protocol to request and receive credentials
over the network. For security, it does not send the actual password
but a hash that can be used to validate the user’s identity.
Configuring Authorization Options
The Authorization properties
for a Windows Media Services server or a publishing point specify how
permissions will be checked before users have access to content. There
are three available options. (See Figure 31.)
WMS NTFS ACL Authorization uses NTFS file system permissions to
determine whether a user has access to files. If only anonymous
authentication is enabled, then the designated anonymous user account
must have at least permissions to the content. Otherwise, when user
credentials are supplied, the user’s effective permissions are checked
before a stream is sent.
Some Windows Media Services
installations are intended for use by only a certain group of
computers. For example, an organization might provide company meeting
videos that require all users to connect to the organization’s local
area network (LAN) to obtain access to the content. Administrators can
use the WMS IP Address Authorization plug-in to specify which IP
addresses will be able to access content. (See Figure 32.) Default settings can be configured to automatically allow or deny connections that are not explicitly listed.
You can use the WMS
Publishing Points ACL Authorization plug-in to configure which users
and groups have access to the publishing point. (See Figure 33.)
To access content, users must have at least Read permissions. By
default, the Everyone group has these permissions to the content. Users
and groups can also be granted Write and Create permission to modify the
contents of the publishing point.
Using Web Server Permissions
Another
method of securing access to streamed audio and video content does not
directly involve Windows Media Services. You can use permissions and
security options that are available with the Web Server (IIS) server
role to secure links and other content that might be accessible to
users. For example, you might expose links and playlists for video
content only to registered users who are connecting using a secure SSL
connection. .