Jump to content


Photo

Assign network drives including access data for security reasons possible?

Security network

  • Please log in to reply
8 replies to this topic

#1 Siutsch OFFLINE  

Siutsch

    Advanced Member

  • Members
  • 121 posts
  • Local time: 06:20 PM

Posted 05 March 2020 - 06:30 AM

A fundamental question about security, especially because of the current problems caused by the so-called Emotet Trojan:


I use the emby server under Windows10 on the same PC where my Kodi Client is installed.

The data is stored on a Synology NAS.

Under Windows direct, I did not set up network drives directly on this PC, but use the UNC paths for the libraries, e.g. \\IP\Share\folder\...

Since emby does not allow you to specify credentials, the logged in Windows user must have access to this shares on the NAS.

In case of a Trojan infestation of the PC, especially Emotet should have no problems with encrypting the complete data on the NAS with these read/write rights, even if the network drives have not been assigned directly under Windows.

It would be much safer if the access is not done with the logged in Windows user, but with another user whose credentials have to be transferred in emby.

According to my understanding, a Trojan infestation of the PC should then no longer be able to access the data directly from the operating system and possibly compromise them.

So is it possible to transfer access data to network drives as well?

Thanks a lot.



#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156879 posts
  • Local time: 12:20 PM

Posted 05 March 2020 - 12:58 PM

Hi, we don't currently have a way of allowing you to enter credentials into Emby Server. Is that what you're asking or is this a more general question?



#3 Siutsch OFFLINE  

Siutsch

    Advanced Member

  • Members
  • 121 posts
  • Local time: 06:20 PM

Posted 05 March 2020 - 02:24 PM

I know, that emby has actually no way of allowing to enter credentials.

I tried to explain why I think this is important, especially when emby is used on Windows.

 

So I would like to know, if there are any plans to integrate it, or if the effort for it is even manageable.

Thank you.



#4 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156879 posts
  • Local time: 12:20 PM

Posted 05 March 2020 - 02:29 PM

Couldn't you also run emby as a windows service with a dedicated windows user account that has limited privileges to only what is necessary?



#5 Siutsch OFFLINE  

Siutsch

    Advanced Member

  • Members
  • 121 posts
  • Local time: 06:20 PM

Posted 05 March 2020 - 03:05 PM

Good idea.

I haben't tried to test this, but I will do.

Thank you. :)


  • Luke likes this

#6 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 156879 posts
  • Local time: 12:20 PM

Posted 05 March 2020 - 03:05 PM

Let us know how you get on. Thanks.



#7 RobWayBro OFFLINE  

RobWayBro

    Advanced Member

  • Members
  • 133 posts
  • Local time: 12:20 PM
  • LocationCentral Indiana

Posted 05 March 2020 - 04:41 PM

Couldn't you also run emby as a windows service with a dedicated windows user account that has limited privileges to only what is necessary?

This is what I do.


  • Luke likes this

#8 Ponyo OFFLINE  

Ponyo

    Advanced Member

  • Members
  • 246 posts
  • Local time: 01:20 AM

Posted 05 March 2020 - 09:43 PM

But how does that work? You can't give folder permissions to a local Windows user on a Synology shared folder AFAIK and I suppose Windows ACL's don't work unless you are on a domain.

 

You could give the NAS user only read permissions but that isn't exactly a practical solution as Emby won't be able to write anything to the media folders anymore so all your metadata will have to be stored locally which has its own downsides.



#9 Siutsch OFFLINE  

Siutsch

    Advanced Member

  • Members
  • 121 posts
  • Local time: 06:20 PM

Posted 06 March 2020 - 02:10 AM

If the name and password of the Windows user is the same as that on the NAS, this will work.

So it should also work if you add a matching user as a service at startup.

 

If this user is not the same user that Windows uses when logging in, then the operating system should not have access to the NAS shares, which would increase security.

I will test this.

Is here an instruction how to start emby as a service (haven't looked for it yet ...)

EDIT:
Found it:
https://emby.media/c...indows-service/


Edited by Siutsch, 06 March 2020 - 05:37 AM.






Also tagged with one or more of these keywords: Security, network

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users