Thursday, August 18, 2011 6:47 PM
I want to provide remote access for family to some photos published on my Windows Home Server.
I have used HP Photo Publisher to create a folder for viewing but encoutered the following two SERIOUS security vulerabilities:
1. HP Photo Publisher automatically includes the "Users" shared folder in the list of folders that it scans and uploads photos from, even if no access is granted by WHS to that share or any of the individual user accounts below it. Furthermore there is no way to "uncheck" that folder; nor is the full list of user folders shown, even if all are scanned and included; and all the photos, images, etc that HP Publisher includes and publishes is not shown for those folders. RESULT: HP Publisher scans the entire folder hierarchy under Users and silently and invisibly uploads every image and photo it finds, irrespective of permissions.
2. Anyone granted remote access to your home server automatically has access to both HP Photo Viewer AND Publisher.
3. A remote user is able to delete a photo froma collection while using VIEWER
this allmeans that if a user, in good faith, makes some photos available; that any remote user can, in good faith, accidentally, or in bad faith, deliberately, create a new photo gallery and include content that is otherwise private and password protected by WHS.
How is any of this possible? I can set user permissions to none, view-only or full-access for each user and WHS share, so why can't HP follow the same security protocol?
Thursday, August 18, 2011 7:17 PMAre you talking about Windosw Home Server 2011? If so, you may find you have set up a HomeGroup which your Server is joined to - HomeGroup permissions over ride individual WHS folder permissions
Phil P.S. If you find my comment helpful or if it answers your question, please mark it as such.
Friday, August 19, 2011 12:38 PMModerator
@OP: what you're complaining about is effectively "by design". HP intended for their software to work the way it does, and part of the"ease of use" is a lack of concern with security. The thought process was probably something like: After all, the only people one would expect a home server user to share their photos with are family and close friends, so a relatively "open" security architecture is fine. You will need to pursue this with HP, however, since that software was added by HP and only available on their servers. You may not have much luck, however, since HP no longer manufactures and sells Windows Home Server boxes.
@Phil: No, he's not talking about Windows Home Server 2011. HP is out of that business as of late last year, remember?
I'm not on the WHS team, I just post a lot. :)
- Proposed As Answer by Ken WarrenMVP, Moderator Friday, August 19, 2011 12:38 PM