whitestrat13 33 Posted February 19, 2015 Share Posted February 19, 2015 I'll preface this by saying I'm a security nut and I trust no one. Are there any plans to allow the server to authenticate to a network share? I really hate using the everyone account, and I'd prefer to use a dedicated service account for MBS. I have a lot of personal data on my server and I want to lock it down. It would be sweet if something could be built into the api that could encrypt a credential and pass it as a token or something to clients to enable direct play. That way, if you can authenticate to MB, you can browse as the dedicated MB user. I think this is something that could help both Windows users, and those who want to authenticate to a NAS from MBS. I get that I may be the only one who wants to lock down a home network. I'm more curious than anything. As always, I appreciate all the hard work the devs put in, and I'm extremely grateful. Have a great day, Whitestrat13 1 Link to comment Share on other sites More sharing options...
spootdev 56 Posted February 19, 2015 Share Posted February 19, 2015 Don't you already have the share locked down to the accounts that you're signed into in windows? Link to comment Share on other sites More sharing options...
whitestrat13 33 Posted February 19, 2015 Author Share Posted February 19, 2015 I do, but I'd much prefer that the "everyone" user has no rights on the server. Period. Anonymous user access is inherently a security risk. Link to comment Share on other sites More sharing options...
fraenhawk 58 Posted February 19, 2015 Share Posted February 19, 2015 I'm confused by your statement. I thought that the server shares went by who you have MBS running as and whether that account has access to the shares. I double-checked and I do not have the everyone account or even the Users group added to any of my network shares and everything works as intended. Everything I've always had configured on my server (which goes back to pre-MB3) has always been done through explicit user permissions per share. Link to comment Share on other sites More sharing options...
whitestrat13 33 Posted February 19, 2015 Author Share Posted February 19, 2015 I run my server heedless, and mbs as a service. The wiki (granted the post is old) said to give the everyone account read permissions, so that's what I did. Clarification by the devlopers would be helpful. I just looked and MBS is running as the local system account. This allows MBS to read and write to the directories. For direct play, the client has to be able to browse the share. I believe this is why they suggest the everyone account should be given read permissions. I would like clients to authenticate to the share as a specified user. I'm less concerned about the application, as it runs on the same same machine as my file shares. I just don't want anonymous users able to access anything on my file server. Link to comment Share on other sites More sharing options...
whitestrat13 33 Posted February 19, 2015 Author Share Posted February 19, 2015 My understanding is that the server will direct stream or encode the file if the client can't access the share. Link to comment Share on other sites More sharing options...
Luke 37272 Posted February 19, 2015 Share Posted February 19, 2015 i'm sure it's something we can eventually look into. the issue is when we launch external programs, if those programs are going to access the media then they need to be able to support it as well. so at the very least, ffmpeg, and we'll have to look at others. i would imagine they do but we have to figure out how, and if they don't then that's a problem. So that's why at present it's easier to leave it up to OS-level control. 1 Link to comment Share on other sites More sharing options...
whitestrat13 33 Posted February 19, 2015 Author Share Posted February 19, 2015 Thanks @@Luke for the reply. Is the everyone account still necessary for direct play? Or is there another recommended way? Link to comment Share on other sites More sharing options...
fraenhawk 58 Posted February 19, 2015 Share Posted February 19, 2015 Ahh, I run my server headless as well, but I still have MBS run on interactive login rather than as a service (I don't let windows update reboot the machine ever and just remote in when I want to do updates/reboots so that I'm sure to log it right back in after). That's the part that through me off, that you're running as a service. Good luck Link to comment Share on other sites More sharing options...
ebr 14960 Posted February 20, 2015 Share Posted February 20, 2015 The only time you should need to enable access to the Everyone account is if you have Windows Extenders. I believe that is the only time we recommend that. The reason being that they use Windows accounts with passwords you cannot know. Link to comment Share on other sites More sharing options...
Deathsquirrel 741 Posted February 21, 2015 Share Posted February 21, 2015 If you're concerned about limiting the service's access to the system you can create a user account for thatservice, give that account access to only the MB folders and library folders,and use that account for the service. Should work fine so long as you grant it rights to all the folders used by the app. Haven't bothered myself, but should work. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now