Updated: October 4, 2007
Applies To: Windows Server 2008, Windows Server 2008 R2
Rights are granted to users to define what a particular user is allowed to do on a system and to grant different levels of permission to different users. You can define rights for individual users, computers, and servers on your system. By default, Windows Media Services runs under the Network Service user account.
The Network Service account is a predefined local account that first appeared in Windows XP. Services that are running under the Network Service account access network resources using the credentials of the computer account. The Network Service account has minimal privileges on the local computer. This prevents someone from using the account to gain access to protected resources on your system. The Network Service account does not have a password associated with it. If you change Windows Media Services to run under a different user account and then change it back to the Network Service account, do not enter a password.
Because Windows Media Services uses the Network Service account credentials to respond to authentication requests from other resources, ensure that the Network Service account has been granted the appropriate permissions in the access control lists of any resource with which it might interact. For example, if you are going to write log file information to a network location that is different from the default location, you must grant the appropriate permissions to the Network Service account for that location for Windows Media Services to write log files successfully.
Some plug-in features cannot interact with the Network Service account. For example, if you are going to use the Microsoft Script Debugger to troubleshoot scripts that will be run by the WMS Active Script Event Handler plug-in, you must configure Windows Media Services to run under another account.
Windows Server 2008 uses security templates to predefine the rights and permissions granted to users. When you review the security templates for your Windows Media server, be aware of the following:
DCOM settings. Microsoft Management Console (MMC) uses distributed component object model (DCOM) to administer Windows Media Services. Each DCOM interface has a DACL that was configured by Windows Media Services during setup to allow the Network Service account to launch, configure, and access files on the server. If you change the account that Windows Media Services uses, make sure to also modify the DCOM configuration. By default, Windows Media Services uses the Packet Privacy authentication level to secure communication between MMC and the service.
File and folder permissions. When Windows Media Services tries to stream a file to a user, the user must be authenticated against the location of the file. Network Service has the appropriate level of permissions for the default folder WMRoot, meaning that it has been assigned Modify, Read & Execute, List Folder Contents, Read, and Write permissions. Windows Media Services requires those permissions for any activity that requires reading and writing data, for example, logging, modifying playlists, archiving broadcasts, and accessing digital media files. Make sure that Network Service has been added to the access list for any files or folders to which Windows Media Services requires access.