Potential Security Vulnerability - Media Library (Remote Web Access and DLNA Streaming) RRS feed

  • Question

  • I was setting up access rights for my WHS 2011 users and realized that anyone can access any folder added to the media library. By default Music, Pictures and Video folders are in the Media Library. WHS 2011 Media Library can be used in two ways so let us discuss implications of both in detail:

    1. DLNA (LAN Media Server)

    DLNA Media Servers do not authenticate their users therefore I was not expecting much security there anyway. Basically any folder in your media library will be available over LAN DLNA ready for streaming to the DLNA capable device of your choice.

    2. Remote Web Access

    New WHS 2011 website has media streaming capability to die for! Remote Web Access also does an awesome job of authenticating the user. The user then has access to the entire media library and is able to stream pictures and videos.

    Security Issue: Some users may not have access to all the shared folders which have been added to the media library but since the folder is in the media library they will be able to access the content anyway. Therefore Media Library is like a public library which over rides Sharing Security and NTFS security permissions and grants access to any user. Only other option will be to keep personal media files out of the media library but then those files cant be accessed via the cool silverlight based media library streaming application even by users who should have access to them.

    In my opinion Media Server should have options to allow users to configure advanced security and privacy settings for folders in media library. That way users can decide which media folders will be available to all over DLNA and which folders will be available to which user over Remote Web Access Media Library.

    Please share your thoughts.



    Monday, May 23, 2011 4:41 AM