Server Security

[gjames50 7]

Hello,

 

I have version Version 3.0.5395.0

 

I have been loving MediaBrowser.

 

I am setting up users and want 1 admin account and I added a password for that account.

 

The problem is in Windows on the Server it allows me to login without asking for the password. This is an issue as I can modify the User accounts without any password authentication.

 

For the KID accounts they could easily change thier Playback ratings which is the point of doing this.

 

 

Am I missing something? Or is this not possible.

 

Please advise.

Thanks.

[Beardyname 195]

Well if you are connecting from localhost this is how it is supposed to work, but if the kids account connect from any other machine it will ask for password. It is made this way so no one would be locked out of their own server if they forgot their password.

[gjames50 7]

I figured that was the case.

 

My only concern is in the current configuration the Kids could go to the PC the server is loaded onto and change thier ratings level to gain access to unappropriate content. Or change server settings alltogether.

 

It would be nice in a future release to give us an option to Lock Down the server even on the localhost.

 

I will have to find another way to secure it for now.

 

Thanks for the help.

 

If anyone has any ideas or suggestions on what to do now please let me know.

 

Thanks.

[Luke 37271]

make the admin account a hidden account

[jordy 284]

Password protect the server - windows logon I mean

[pünktchen 1262]

make the admin account a hidden account

@@Luke Has this changed? I have a hidden Admin account, that i cannot see even directly on the server. It was okay with the official release, but now on DEV i have to put in the credentials.

[gjames50 7]

make the admin account a hidden account

 

Ok so I created an Admin account, password protected it and clicked the option "hide this user from login screens". On the localhost computer it shows up in the list of users and of course when you click on it it logs in without a password.

 

I tried restarting the server and it still shows up.

 

Or is there another option for a hidden account that I can't find?

 

Please advise. Thanks.

[pir8radio 1293]

Ok so I created an Admin account, password protected it and clicked the option "hide this user from login screens". On the localhost computer it shows up in the list of users and of course when you click on it it logs in without a password.

 

I tried restarting the server and it still shows up.

 

Or is there another option for a hidden account that I can't find?

 

Please advise. Thanks.

 

On local host it will show even hidden accounts...        what you should do is hide the MB icon in the tray, or password protect your windows user so they don't have access to the MediaBrowser ICON in the task bar...      If you access your server by http://COMPUTERNAME:XXXX  it should act as if you are accessing the server remotely, and not wide open.  

 

So either hide the MB icon and bookmark http://computername:port   instead of http://localhost  or http://127.0.0.1    or lock down the account that MB runs under and bookmark the server name on the kids accounts.   

 

Depending how nerdy you are you can redirect localhost and 127.0.0.1 to google.com or something then you don't have to do all of the hiding and what not.  But this option can break other services/servers running on your pc.

Edited November 4, 2014 by pir8radio

[pir8radio 1293]

I'm 99.9% sure it's impossible to redirect localhost or 127.0.0.1 on a Windows system,  @@pir8radio it would be great to get more details.

 

MediaBrowser server has a one line of code which uses HttpRequest.IsLocal http://msdn.microsoft.com/en-us/library/system.web.httprequest.islocal(v=vs.110).aspx to determine if the request was from the localhost and permit a blank passowrd.

 

Perhaps it would be nice to see an option to allow blank passwords from localhost?  It's may be more preferable than complex workarounds, especially if folks want to reverse proxy from the same machine especially considering how robust MB is nowadays.

 

 

@@anks here is what i just tried on my work pc...  I just pinged google to see what their ip was, then edited my hosts file to point localhost to google's ip, then pinged local host.   notice local host returns google...   i can go to a browser and put in http://localhost and i get a google search page..

 

Edited November 6, 2014 by pir8radio

[anks 36]

Cheers @@pir8radio,  I was getting ahead of myself and was more concerned with the Server Security and although you can change the name resolution for localhost, which is what you were replying to the original OP,  I was thinking along the lines of spoofing the localhost address for MB (my bad)

 

For example, if you add 

 

24.26.232.234  localhost

 

to your host file, a goggleable MediaBrowser server, you still won't be able to login without a password since Request.IsLocal will return false and you'll need a password.

 

However since the Web Client just uses a 'contains' to identify if a user is from LocalHost, therefore by changing your hosts file, you will get the profile screen and which contains the usernames and pictures, but not the manual login external users would expect.  Try going to http://www.therume.us:8096/ which is what the IP address resolves to and you'll see the difference.

 

Also, the API which is critical to support all the apps, helps us get all the public users anyway go to /mediabrowser/Users/Public on any server to see all details.   The current beta has really moved forward with authentication but the current stable exposes a lot more info and as the code is Open Source, there could be security implications.

 

It really may be worth adding a <meta name="robots" content="noindex" /> to all the non authenticated MB pages, plus adding a X-Robots-Tag: noindex, nofollow http header to all the API request.  I appreciate obscurity is not security but keeping MB from the major search engines would be a positive move.

[anks 36]

I'm 99.9% sure it's impossible to redirect localhost or 127.0.0.1 on a Windows system,  @@pir8radio it would be great to get more details.

 

MediaBrowser server has a one line of code which uses HttpRequest.IsLocal http://msdn.microsoft.com/en-us/library/system.web.httprequest.islocal(v=vs.110).aspx to determine if the request was from the localhost and permit a blank passowrd.

 

Perhaps it would be nice to see an option to allow blank passwords from localhost?  It's may be more preferable than complex workarounds, especially if folks want to reverse proxy from the same machine especially considering how robust MB is nowadays.

[Luke 37271]

we can remove the localhost no password entry, we just first need a better password recovery system to prevent people from getting locked out.

[ebr 14960]

Seems reasonable - with the realization that you could lock yourself out of your own server if you forget the password.

[gjames50 7]

Ok so I have been unable to look at anything until today.

 

I just checked everything again and now it is hiding the hidding Admin account.

 

I checked the version and it auto updated to Version 3.0.5424.1

 

 

So whatever changes have been made to this newer version secures up the server.

 

Awesome!

 

 

Thank you all for the assistance. I am going to start testing this with the kids.

 

Again thank you!!!!!

[gjames50 7]

Just a note and I am sure everyone probobly knows this.

 

Because it's the localhost you do not need a password for the Admin account that is now hidden.

 

But it is secure enough as long as nobody else knows what the name of that admin account is.

[Luke 37271]

it will be changed for the next release. you'll no longer be able to get in automatically on localhost. there will be a new password recovery process that uses the server's program data folder and a pin code. so the security responsibility will shift to the system admin to make sure they know who has physical access to that location.

[TheShanMan 34]

I noticed in the latest beta build that the web interface no longer requires a user's password if I'm using "localhost" to connect (using the hostname does require a password). Is that a known issue yet? Will it be fixed in the next version?

[Beardyname 195]

I noticed in the latest beta build that the web interface no longer requires a user's password if I'm using "localhost" to connect (using the hostname does require a password). Is that a known issue yet? Will it be fixed in the next version?

 

It was made this way so users who forgot their password would have a way to reset it, but if you read the post above yours you can see how this will be solved in the future

[TheShanMan 34]

I noticed in the latest beta build that the web interface no longer requires a user's password if I'm using "localhost" to connect (using the hostname does require a password). It's not a "local network" vs. remote password setting issue because I've got a password set for both. From the server itself, if I connect via "localhost" it lets me in without asking for a password but if I connect via the hostname (again, from the server itself) it asks for a password.

[bxsteez 3]

This might not be the place to post this and I don't want to hijack the thread but the security settings seem to be a bit off.  I have a sony tv and my guest user that was not allowed to remote control other users could remote control my television.  I'm also having an issue where the guest users can't update plugins which is a function I would like to have.  Just update lplugins not get new ones. Its highly possible that I'm missing something obvious but I can't seem to rectify the issues.  

[TheShanMan 34]

Sorry to anyone who is wondering why my posts are showing up here even though it was already explained. Without being aware of this thread, I posted a new thread which apparently got merged into this thread. From my perspective my thread just magically disappeared (I got no notification that it was merged into this one and the url for my thread stopped working). So I posted again. Same thing. Finally I discovered this thread. Kind of an awkward way to handle multiple threads for the same question IMO. But again, sorry if my posts ended up adding confusion or whatever to this thread.

 

Glad to see this will be handled in a better way.