By Ken Durigan, guest author
Ken Durigan is a Principal Consultant in Microsoft Consulting Services that focuses on design and implementation of Windows Server core infrastructure for large enterprises. He has been a Windows Media Center enthusiast since Windows Vista, and uses Media Center extenders as the foundation for his whole-house media distribution system. Here he describes how he enhances control over access to his media via extenders by using some of Windows security features.
Note: This entry originally appeared on the Windows Media Center team blog on www.thegreenbutton.com.
Over the years Microsoft has consistently delivered enhancements to its operating systems and applications. One primary area of focus has been improving security by limiting unauthorized access to files and folders thereby preventing malicious or accidental deletion of important data.
You may know that the default installation of Media Center Extenders gives them full access to many files and folders on the media center computer. The reasoning behind granting such a high level of access is to allow any user the ability to add or delete music and pictures or to setup television recordings as well as delete them after they have been watched. Although this is reasonable for recorded television, you may not want this level of access for other media types such as family photos, personal videos or music collections.
In my home, for example, I want to allow some content to be deleted and some to be protected. In the family room, children’s bedrooms and recreation room, I want controlled access to content since this is shared by the entire family as well as my children’s friends that visit. In my office I want total unrestricted access so I can view and manipulate all content.
Once you setup the controls you desire for your extenders, additional capabilities can be added. This post describes base security setup as well as allowing or disallowing content on the specific extenders and allowing or restricting content by time of day.
Installing an extender always requires administrative privileges. The reason for this is that during the setup of a new extender, device drivers are installed, user accounts are created and access permissions are assigned to directories on the Media Center PC. Standard non-administrative users are not granted those capabilities by default so an administrative account is required. If the extender installation code detects a non-administrative user during installation, a prompt will be displayed asking for administrative credentials to allow the installation to succeed. This is the case for all versions of Media Center, but how the permissions are used is different under Windows 7 than under previous versions.
In Vista and XP, installing a Media Center Extender simply creates a new local user account and adds that account to the local administrators group on the Media Center computer. After installing the first XBox or other dedicated MCE extender, a MCX1 local user account is created and added to the local Administrators group. Each additional extender creates another MCX account and adds that to the local administrators group as well. Membership in the Administrators group provides remote login permission, which is how the MCX accounts are granted access to logon. Membership in the Administrators group also grants full access to all files and folders on all drives on the system.
Under Vista and XP it is relatively easy to change the default access by removing the MCX1 user from the Administrators group; however this causes several problems – most notably the extender can no longer connect to the Media Center computer. By default, Windows does not allow just anyone to logon remotely, so when the MCX user attempts to logon from the extender after removing it from the Administrators group, it will be denied remote login access.
Removing the MCX account from the Administrators group also removes file permissions that are not explicitly granted. So even if the MCX user is granted the privilege to login remotely, it cannot access the file system to create recordings or play music files after being removed from the Administrators group. The goal in Windows Vista and XP is to remove the extender accounts from the local Administrators group and yet still allow remote logins and specific file and folder permissions.
Windows 7 Media Center
In Windows 7 Media Center, things are a bit different. The Windows 7 developers decided not to simply add the MCX accounts to the local Administrators group. During the extender installation, the right to log on remotely is granted directly to the MCX user account through the local security policy. You can see how this is done in Windows 7 by looking at the user rights assignments in the local security policy:
Unlike previous versions of Windows, where file permissions are inherited by being a member of the Administrators group, in Windows 7 permissions are directly added to files and folders. This is an improvement over adding the MCX accounts to the Administrators group; however, a scheduled task is created which runs under the context of the user that is logged in during the install. This scheduled task re-applies permissions to allow access to files and folders by the MCX accounts. If you have ever tried to change the default file permissions for MCX1-<computername> account under Windows 7, you will notice that eventually the access you set gets changed back, again allowing the extender full access. I will discuss this more a little later in this article, but this is the behavior that needs to be stopped to successfully use security groups to simplify the process of defining access permissions to content.
Due to the differences between Windows XP/Vista and Windows 7 Media Center, the process for controlling access to content is slightly different for each version. I have not even seen an XP media center machine in many years, and now no longer have access to a Vista PC either. I will identify the overall process that needs to be followed for these operating systems. It should be noted that all screen captures and detailed instructions included in this document were produced on a Windows 7 machine. The screens and processes between the older operating systems and Windows 7 are similar enough that this should not be a problem for XP or Vista users.
While this post contains specific instructions for securing directories, it is useful to look at the major steps first before diving into the details. In the discussion that follows, several security groups and user accounts will be used many times. Their names and purposes are:
Groups:
Users:
Additional detailed instructions on setting up user accounts and security groups are provided later in this document.
Extenders are relatively easy to setup in XP and Vista as long as you remember to not set up media libraries until after you have secured the system. When setting up an extender, you will be given an option to add media to your library. When prompted with the question “Do you want to set up media libraries now?” the correct response is NO.
It is also important to turn off the extender per the instructions below. If you do not turn of the extender when instructed, it will still be running with administrative privileges which will allow it to make changes that you do not want. The trick is to let the extender install device drivers under an administrative account, then shut it down and remove its permissions. You can then grant exactly the permissions you want.
Step 1 - Setup Extenders
Step 2 - Setup security groups and folder permissions (see below for details).
Step 3 - Setup media libraries
Note: You will only be able to add directories to which the extender has been granted permissions.
As previously mentioned Windows requires administrative authority to complete the installation of an extender. However, the key to controlling permissions in Windows 7 is setting up specific user accounts ahead of time, and then installing extenders using those accounts. Here is the basic set of steps:
Step 1 - Setup security groups and folder permissions (see below for details).
Note: this is required or the extenders will still be able to access the administrative users folders.
Step 2 - Setup the “standard” extenders
Step 3 - Setup the “privileged” extenders
Step 4 - Fix up groups and permissions and add time restrictions.
Step 5 - Setup Media Libraries
1. Open Computer Management in one of several ways:
2. Select Local Users and Groups, expand the group.
3. Right click Users and select New User.
For Windows 7, create a “Standard” (MCXUser) and a “Privileged” (MCXAdmin) user account.
For all operating systems, create two new groups by right clicking on Groups and selecting New Group.
When you are done, your standard user account should look like this:
Your Administrative user account should look like this:
After you have completed your extender installations, additional accounts will have been created. These are added to the appropriate groups. All users and extender accounts are added to the “standard” group, and only privileged extenders are added to the “privileged” group. After everything is setup, here is what my “standard” group looks like:
Finally, here is what the “privileged” extender group looks like:
As I mentioned, in my home I want to allow some content to be deleted and some to be protected. In the family room, children’s bedrooms and recreation room I want controlled access to content since this is shared by the entire family as well as my children’s friends that visit. In my office I want total unrestricted access so I can view and manipulate all content. Access permission varies by content type, not just physical location.
Here is the desired level of content access I want to grant the standard extenders that are located in common family areas of the house:
For normal recorded TV, there should be no difference in the way that Windows Media Center operates from the traditional default installation. TV shows are scheduled, watched and deleted without any restrictions. The same should be true for any video that is placed directly in the temporary videos folder as these are videos that come from a variety of sources such as Camcorders, DVD rips, Bit Torrents, YouTube or other Internet sites.
The Music and Pictures folders should be read-only for extenders and therefore protected from accidental or intentional deletion. The only way to manipulate these files should be by using an authorized account, either directly on the Media Center PC or from an unrestricted extender. If an attempt is made to delete any files in these libraries, an error message should be displayed on the extender.
An example of Media Center with security setup in this way is shown below. An attempt was made to delete a picture from a standard extender. A prompt was displayed that asked “Are you sure?” to which I answered Yes:
From a standard extender with restricted permissions, any attempt to traverse the directory structure is also blocked. For example, when trying to open the c:\users directory, the extender will be able to open only the folders to which that extender has access. Not only are files protected, but the ability to see the directory structure of the media center PC is also blocked. In the screen capture below, notice that there is no ability to traverse the “admin” user’s directory structure, but the Public directory can be traversed.
Organizing your media properly is important to simplify the file and folder permission setup. A basic understanding of Windows Security is helpful to set this up properly. A few points worth noting:
NOTE!!! Be very careful if your media is stored on the same drive as your operating system installation. Removing permissions at the root of the C: drive will have some very bad side effects! I keep my operating system drive separate from all media drives and do not change the default OS directory permissions for C:.
Administrators will be granted full rights at the root of the media volumes which will be inherited down to all subdirectories. The “Everyone” group is given List folder / read data to the root folder (“This folder only” option in the screen shot below). At the root of my T: volume, here are my security settings:
I create a T:\Media Folder where the rest of my media will reside. Access will be granted to a group that all extenders will be members of (MXC Users group). None of the other directories at the root of T: will be able to be browsed by the extenders since the Everyone built-in group inheritance has been restricted to only the root. Read-only permissions are now added so that all folders below the T:\Media level can be browsed and read, but not deleted. Here are the settings I have used:
You can see that Administrators and SYSTEM have inherited full control from T:\ whereas the “MCX Users” group is <not inherited> and has been granted Read & execute permissions for this folder and all subfolders. Any media placed anywhere in the T:\Media folder is now available to extenders and is protected from deletion.
Next we need to create a Read/Write folder for standard recorded TV to allow extenders the ability to create as well as delete files. I create this folder in T:\Media\Recorded TV and then add the appropriate extra permissions to that folder. You can see that read-only permissions were inherited, and then Modify and Write permissions were directly added for the MCX Users group:
I also add the same Read/Write permissions to T:\Media\Videos for MCX Users. The T:\Media\Videos directory is designated as read/write and is not for videos I consider permanent. Any videos that are permanent can go into another directory such as T:\Media\PermanentVideos. That is it – you now have a T: volume that has restrictions on what can be browsed, what is read-only, and what can be accessed for both read and write by any member of the “MCX Users” group.
I have several disk drives with media and apply the same principle to those drives. The screen capture below shows that the Everyone built-in group is inheriting read-only access to the M:\Media\Music folder – it is protected.
The process for creating unrestricted data access or for providing more access to specific security groups is similar to what is described above. One alternative for providing additional access would be to just use the XP and Vista approach and add specific extenders to the built-in Administrators group, but I do not recommend this practice. In general, you should allow unrestricted access to specific media folders, not to the entire computer.
Fine grained security can be applied to grant specific extenders a higher level of access. This is useful for a variety of situations – your teenagers may have access to more content than your younger children, or maybe you will apply different time restrictions based on their age. The key is to just create additional security groups and apply permissions to allow or disallow content access. I create a MCX-A group and grant it additional rights to specific directories. The extenders in this group have access to content that the normal extenders have no access to.
For example, normal users and extenders should not have the ability to delete pictures, but you may want to allow some users/extenders this ability. Here is the setting to allow this:
As you can see, any member of the MCX Users group has Read & execute access to T:\Media\Pictures which it inherited from T:\Media, but members of the MCX-A group have modify access to the T:\Media\Pictures folder and all of its subfolders. The members of the MCX-A group cannot delete content in other directories that were not specifically given permissions. This is the advantage of not simply adding the extender account into the built-in Administrators group. By placing Media Center Extender user accounts into one or more of these privileged groups you will give just the level of access you need, but no more.
On my Media Center PC, I have several physical disk drives where I store media and have setup file access control in the way I have described above. I have also moved my user profile directories off of the C: drive and on to the D: drive. This is most easily done when setting up a new machine prior to adding local user accounts. To relocate the user profile directory, edit the ProfilesDirectory registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\ProfileList
My setting looks like this:
Although this setting change is not mandatory, I find it useful to allow me to make security settings at the disk level and not affect operating system directories. I also like the separation of the operating system drive from data drives for backup purposes and to ensure that if the user disk fills up it does not affect the operating system. I always make this change after setting up a new operating system version, and then I create any local accounts. I leave the Default and Public user profiles with the operating system, since they are setup by the OS installation, and I do not modify permissions for those directories.
When an extender is installed on a Windows 7 media center computer, a new scheduled task is created for that extender. Every extender installation or reinstallation will create an additional task. The task is created to run under the context of the logged-in user at the time of the extender installation. The task therefore has whatever permissions the installation account has been granted. This is why it is important to remove permissions from the installation account as soon as possible, and certainly before adding media directories.
The purpose of the new task is to update media permissions for extender accounts. This task runs whenever event id 115 appears in the Media Center application event log. Event 115 is generated when a media center extender establishes a connection to the media center PC. When the scheduled task detects the event it runs the %systemroot%\ehome\McxTask.exe program and passes the extender account MCX?-<computername> as a parameter. McxTask.exe updates permissions directly on files and folders to include the MCX?-<computername> account. The task is created and runs as a non-elevated process so it can only make permissions changes that the installation user account can make. No additional file or folder permissions can be granted above what the installation account is allowed so security is not compromised.
However, since I want to use security groups rather than user-level permissions to grant access, I do not want the default behavior and must disable the scheduled task(s). I open the task scheduler by typing taskschd.msc from the run menu, navigate to the Media Center Extender tasks and disable all of them. There should be one for each extender.
Note that in the above example the task would run under the MCXAdmin user account context and would update permissions for the Mcx1-MEDIACENTER1 account. This would give the Mcx1-MEDIACENTER1 extender account the same permissions to the folders that the MCXAdmin account has. It is important to disable the tasks or the extender accounts will be defined directly as file and folder level permissions rather than just using group permissions.
There is an easy way to test access levels by logging on to the Media Center computer with the MCXUser and MCXAdmin accounts. These accounts were used to install the extenders, but then they were removed from the local Administrators groups as part of the installation process described above. These accounts now get their permissions from the same groups that the extenders do. By logging on to the computer with the standard MCXUser account you should only be able to access files and folders that standard extenders can access and you should not be able to add or delete content from protected directories. The MCXAdmin user account should have additional rights that the MCXUser account does not but it should not be able to traverse other user’s directories, nor should it be able to access other directories that it has not been granted access to. This is the best way to test your security definitions and ensure that everything is correct.
From the previous sections you can see that controlling access to content in media center is really just an exercise in assigning folder permission to groups, then making sure that the extender accounts are assigned to the right groups. The primary focus was to prevent accidental deletion of content such as pictures, music or permanent videos. The same concept can be applied to allow or prevent access to any content from specific extenders. This may be useful for situations where some extenders should have NO access to specific content. For example, if your children have Xbox 360’s in their bedrooms you can prevent them from getting access to age inappropriate material by assigning their Xboxes to restricted security groups. Unlike parental controls, this method lets you control the types of media they can access, regardless of how a show or movie was rated by someone that may not share your view of what is appropriate.
Time restrictions can be enforced through a combination of scheduled tasks and utilities that can set and remove permissions to files and folders. You can create a schedule where content is available to your children’s Xbox extenders until their bed time, then automatically disallow access after that time. Or, an extender that has normal access to content during the day can be elevated to a privileged extender in the evening after the children go to bed. The icacls.exe command included with the operating system allows manipulation of security permissions to allow this level of control. In the batch file below I use the icacls command to grant or remove access to the d:\media\restricted directory and all of its subdirectories for the MCX-A group.
@echo off
setlocal
set opts=/remove:g %computername%\MCX-A /t
if /i (%1)==(grant) set opts=/grant:r "%computername%\MCX-A":(OI)(CI)(RX)
echo %date% %time% >%~dpn0.log
icacls d:\media\restricted %opts% >>%~dpn0.log
endlocal
Copy the above batch file into notepad and save it as file setmcxacl.cmd. You will run this batch file in your scheduled task. It produces a log file named setmcxacl.log in the same directory as the batch file so you can see what permissions were actually changed. The batch file simply sets some common options used by the icacls.exe utility, then either grants or removes access to the directory specified (the d:\media\restricted folder in the above batch file).
To set up the schedule, open Scheduled Tasks using the taskschd.msc command.
I have created two tasks: one to enable content later in the evening for any extender that is in the privileged extenders group (MCX-A) and one to remove that access in the morning. During the day time, the extender can be used as normal, but in the evening additional content becomes available. Here is how you define the task to enable access every night at 9:30 PM:
Note that the command is running under the context of SYSTEM which has full rights to set file and folder permissions. Also note below that the parameter passed to the command file is “grant” which instructs the batch file to grant access to the folders at the given time.
Here is how you define the task to disable access in the morning. Again this runs under the local SYSTEM account so it has rights to change file and folder permissions.
The command line below specifies to “revoke” access at 8:00 AM every day.
This post provides instructions on how you can change the default permissions and rights granted to Media Center extender accounts under Windows XP/Vista and Windows 7. By making these changes you can confidently place different types of media on your Media Center computer and know that it is protected from accidental or intentional deletion. You can allow specific extenders access to some content while disallowing it from others. You can also enable time restrictions on content to enable some or all content to be available or unavailable from specific extenders at specific times of the day or week. Although the setup steps are not simply point-and-click within the Media Center user interface, they are not difficult if you have an understanding of Windows Security.
This batch file will check permissions granted to a user or group on all drives on the Mediacenter computer. Copy the batch file code below and paste it into notepad, then save the file as checkacls.cmd.
if (%1)==() goto ERROR
set log=%~dpn0.log
echo %date% %time% >%log%
for %%i in (c d e f g h i j k l m n o p q r s t u v w x y z) do call :chkacl %%i:\ %1
notepad %log%
goto end
:chkacl
echo ------------------------------------------------------------------------>>%log%
echo Checking %1 for ACLs for account %2
echo icacls %1 /findsid %2 /t /c 2>nul >>%log%
icacls %1 /findsid %2 /t /c 2>nul >>%log%
echo.>>%log%
goto :eof
:error
echo Syntax %0 Userid
:end
Endlocal
To run the command, type:
Checkacls.cmd {group or user name}
When the command completes it will display the results in notepad. This will show you exactly what file permissions have been granted to a specific user or group on all drives and in all directories on the computer. If the group name has a space in it, enclose it in quotes. For example, to check all the file permissions granted to the group “MCX Users” type the following command:
Checkacls “MCX Users”
To check all of the file permissions granted to the extender account MCX1-MEDIACENTER1, type the following:
Checkacls mcx1-mediacenter
***
The opinions expressed here represent my own and not those of my employer.
This document is provided on an “as is” basis. You bear the risk of using it and Microsoft does not provide any support services. Microsoft gives no express warranties, guarantees or conditions to the fullest extent permitted by law. Microsoft disclaims all warranties, express or implied, and in particular, disclaims all warranties of merchantability, fitness for a particular purpose, non infringement and warranties related to this document. Microsoft shall not be liable for any direct, indirect or consequential damages or costs of any type arising out of any action taken by you or others related to this document. You may copy and use this document for your internal, reference purposes. You may not modify and redistribute this document.