Security is a prime concern for almost all enterprises today, especially with viruses like Sircam and Code Red becoming more and more prevalent. When you’re deploying new services on your network like Windows Media Services, you’ve got to be concerned how these new programs will affect security on your network and how to keep the programs themselves secure.

In this Daily Drill Down, I’ll show you how to use the Windows Media Administrator to secure your network after you’ve added Windows Media Services.

Security and restriction options in Windows Media Services
Your primary tool to secure Windows Media Services is the Windows Media Administrator. To start the Windows Media Administrator, click Start | Programs | Administrative Tools | Windows Media. When Windows Media Administrator starts, click Server Properties. When you do, you’ll see the screen shown in Figure A.

Figure A
Many of the restriction options are found on the Server Properties page of Windows Media Administrator.

As you can see in Figure A, the Server Properties screen contains several tabs: General, Publishing Point Security, Distribution Authentication, Publishing Point Logging, and HTTP Streaming And Distribution. At first glance, you may think that these tabs have little to do with security, but they do.

The General tab allows you to control how workstations connect to the media server. The Maximum Clients field specifies the maximum number of clients that are allowed to connect to the media server. The Maximum Bandwidth field specifies the maximum bandwidth that can be utilized by the clients making use of the media server. The Maximum File Bitrate field limits the clients’ use of the server by restricting the bitrate of the client connections. By limiting the number of clients that can access the server, along with limiting the amount of bandwidth and bitrate, you can make sure that your media server isn’t used as part of a denial of service attack.

The Publishing Point Security tab allows a server administrator to require clients to authenticate before accessing media streams on a Windows Media server. The options on this screen are:

  • Do Not Use Authentication: Naturally, this choice means that your Windows Media server uses no authentication and will stream media files to anyone. This is the default setting and offers no security protection.
  • HTTP-BASIC Authentication And Membership Service Account: This choice allows you to validate who can access media streams on the server. The authentication is unencrypted, which means that a hacker can intercept user IDs and passwords, but at least users have to register to have access to this information. User IDs and passwords are checked against the Member Service account, which is a separate database maintained by Microsoft Membership Services. Microsoft Membership Services is a separate service that you must configure in advance to use this feature. This is a good choice if you want to control users who access the network but don’t want them included as part of your domain.
  • HTTP-BASIC Authentication And NTLM Account Database: This choice works similarly to the previous one except that only users that are members of the domain can access the media files stored on the server. It’s a good choice when you’re providing security on an intranet and want to provide access only to specific users that are part of your network. It’s also a good choice on the Internet where you may not be able to make an NTLM connection to your server. Because this choice requires users to enter a domain name, this is also a good choice in an environment where you’re maintaining multiple domains.
  • Windows NT LAN Manager Authentication And NTLM Account Database Authentication: This choice provides maximum security for your media streams. It uses a fully encrypted NTLM Challenge/Response system to allow access to the media services. Only users that are members of a domain can access the media server. This choice is best in an environment where you’re running an intranet or where all users are members of a trusted domain.

The Distribution Authentication tab controls how Windows Media servers communicate with each other. Windows Media servers can be arranged so that they feed data streams to each other to provide a sort of load balancing and scalability that would otherwise not be possible. For streams of data with sensitive or copyrighted information, a Windows Media server can be configured to require a password before being able to receive the stream. That information is configured here. Just select Enable Server Authentication. You’ll then have to provide the proper user ID and password to be allowed access.

An integral part of any security system involves logging information that may be useful when trying to re-create a breach. Windows Media Services is no different. This is where the Publishing Point Logging tab is key. In the Windows Media server, logging is turned off by default. You can enable it by selecting the Enable Logging check box. This tab allows an administrator to set up logging on a daily, weekly, or monthly basis. Or it can be restarted when it reaches a specific size.

Details about what a user watched, how long the user watched it, and some other specific actions, such as rewinding or fast-forwarding, are included in a Media Services log file. You can also view logs by selecting Publishing Point Events in the left pane of Windows Media Administrator, as shown in Figure B. You can use information on this screen to tell you when certain things happen, such as when a user tries to use too much bandwidth, when there are too many connect attempts by users, and what port numbers media files are using.

Figure B
You can view logs of Windows Media server activities.

By default, Windows Media Services uses Microsoft Media Server (MMS) to broadcast media. Some firewalls block this protocol and also block Windows Media Services ports (Inbound port 1755 and Outbound random ports between 1024 and 5000). The HTTP Streaming And Distribution tab allows a Windows Media server to use HTTP streaming in order to bypass possible firewall restrictions that could otherwise block a Windows Media broadcast. HTTP streaming uses port 80, which is rarely blocked by firewalls. This tab can also be used to enable the Windows Media Encoder to communicate with a Windows Media server that is using HTTP. You have three choices:

  1. Do Not Enable HTTP Streaming Or Distribution: This is the default choice, which causes the Windows Media server to broadcast using its default MMS protocol.
  2. Enable HTTP Streaming For Windows Media Unicast Service: You’ll select this option if you want to distribute unicast streams using HTTP.
  3. Enable HTTP Distribution For Windows Media Station Service: You’ll use this option if you’re multicasting streams from your media server.

Monitoring media services
One way to make sure your media server is really secure is by constantly monitoring it. Windows Media Administrator has a number of built-in monitoring pages that allow the administrator to see exactly what is happening with the server—what programs are being watched, what clients are attached to the server, and how the stream is being broadcast to the client. Using these utilities, you can verify that only allowed clients are actually accessing the media streams.

To enable client monitoring, select Publishing Point Clients from the left pane of the Windows Media Administrator window. Next, check the box labeled Enable Client Monitoring. Once you check this box and refresh the window, then all connections from clients show up in the bottom window, as shown in Figure C.

Figure C
You can monitor clients as they access your server.

Windows Media Administrator refreshes this page every 30 seconds. You can change the refresh rate by changing the value of the Auto-refresh field. It’s best to keep the default value of 30 seconds unless you suspect you’re being attacked and want to see the connect rates more often. If you set the value too low, the media server will slow down because it will have the added duty of constantly refreshing the Publishing Point Clients screen as well as serving media files to clients. If you deselect the Auto-refresh check box, you can manually refresh the screen by clicking the Refresh button.

The information that is provided includes the client ID, its IP address, TCP port, and the name of the program that the client is streaming. If you decide that you want to end the client’s session, select the client and click the Terminate Selection button. The user will be notified that the network connection has failed and the stream will be stopped. If you need to terminate all the clients at once, click the Select All button and then click Terminate.

Firewalls and Windows Media Services
Perhaps the most common device for protecting networks, firewalls can wreak havoc with services like streaming media. If a media server is placed behind a firewall, appropriate ports need to be opened up if the server is to be accessed from the outside. In addition, it is wise to place the server in the firewall’s DMZ rather than on an internal corporate network if it is to be accessed publicly. Doing this minimizes risk to the internal network in the event that the media server’s security is compromised.

Windows Media Services runs on a wide range of TCP ports but is also enabled to use a single port: TCP and UDP ports 1755. Client connections are generally UDP rather than TCP and, when not using the single TCP/UDP port, can range anywhere from UDP ports 1024 to 5000. Also, for sites where opening up firewall ports is difficult, Windows Media Services can be configured to stream over HTTP port 80, as discussed earlier in this article. When the Windows Media Encoder is being used to directly stream live content to a Windows Media server, it uses TCP port 7007. Windows Media Services used to be known as NetShow, so if you are using a firewall that uses service names rather than TCP and UDP ports, keep this in mind.

Maintaining security is hard enough on a basic Windows server. But when you start adding services like Windows Media Services, things become even more complicated. You need a way to make sure that Windows Media Services doesn’t introduce any new weaknesses into your network, while at the same time securing it to ensure that only the users you want to use it can. Logging and monitoring are also equally important. Fortunately, the Windows Media Administrator can help. Once you learn your way around it, you can worry a little less about security.