TechNet Home > Windows Server TechCenter > Security Services

Using Windows Server 2003 in a Managed Environment

Windows Media Services

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organizations requirements for communication across the Internet with your organizations requirements for protection of networked assets.

Note: This section of the white paper describes Windows Media Services (the server component), but it does not describe Windows Media Player (the client component) or Internet Information Services (IIS), both of which are involved in carrying out communication of multimedia content across the Internet. For information about these components, see the respective sections of this white paper.

*
On This Page
Benefits and Purposes of Windows Media ServicesBenefits and Purposes of Windows Media Services
Examples of Features that Help You Control Communication to and from a Windows Media ServerExamples of Features that Help You Control Communication to and from a Windows Media Server
Firewall Information for Windows Media ServicesFirewall Information for Windows Media Services
Answer File Entries and Registry Keys for Windows Media Services SubcomponentsAnswer File Entries and Registry Keys for Windows Media Services Subcomponents
Procedures for Installing, Removing, or Excluding Windows Media Services and Its SubcomponentsProcedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents
Related Documentation and LinksRelated Documentation and Links

Benefits and Purposes of Windows Media Services

Windows Media Services 9 Series is included in Windows Server 2003, Standard Edition, the 32-bit version of Windows Server 2003, Enterprise Edition, and the 32-bit version of Windows Server 2003, Datacenter Edition. Windows Media Services is not included in Windows Server 2003, Web Edition, or in the 64-bit versions of the Windows Server 2003 family. In the 32-bit versions of Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition, Windows Media Services delivers advanced streaming functionality such as multicasting, wireless network support, Internet authentication, server plug-ins, and Cache/Proxy APIs.

Windows Media Services is an optional component in products in the Windows Server 2003 family. With Windows Media Services, you can create, manage, and deliver Windows Media content over an intranet or the Internet. The clients receiving the content can render it as it is being received, that is, without downloading the content first. Streaming greatly reduces the wait time and storage requirements on the client. It also permits presentations of unlimited length, as well as live broadcasts.

For more information about features in Windows Media Services, see the sources in "Related Documentation and Links," later in this section.

Examples of Features that Help You Control Communication to and from a Windows Media Server

This subsection provides brief descriptions of some features in Windows Media Services 9 Series that help you control communication to and from a Windows Media server. These features are integrated with two aspects of basic functionality built into the Windows Server 2003 operating system:

Authentication

Authorization

Authentication

Authentication is a fundamental aspect of security for a server running Windows Media Services. It confirms the identity of any unicast client trying to access resources on your Windows Media server. Windows Media Services includes authentication plug-ins that you can enable in order to validate user credentials for unicast clients. Authentication plug-ins work together with authorization plug-ins: after users are authenticated, authorization plug-ins control access to unicast content.

Windows Media Services authentication plug-ins fall into the following categories:

Anonymous authentication. These are plug-ins that do not exchange challenge and response information between the server and a player, such as the WMS Anonymous User Authentication plug-in.

Network authentication. These are plug-ins that validate unicast clients based on user logon credentials, such as the WMS Negotiate Authentication plug-in.

When you make decisions about how authentication might affect users, consider the following points:

For multicast streaming with Windows Media Services 9 Series, clients do not establish a connection, and therefore authentication and authorization do not apply for multicasting. (Multicast streaming is only available if you have the 32-bit version of Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.)

If a player is connected through HTTP, the player disconnects from the server each time the user stops, pauses, fast-forwards, or rewinds the content. If the user tries to continue receiving the content, the authentication and authorization process occurs again.

For more information about authentication and about the specific authentication plug-ins that you can enable for Windows Media Services, see the list in "Related Documentation and Links," later in this section.

Authorization

In order to control access to unicast content on your Windows Media server, unless you identify users only by IP address, you must enable one or more authentication plug-ins and also one or more authorization plug-ins. Authentication plug-ins verify the credentials of unicast clients attempting to connect to the server. Authorization plug-ins verify that the unicast client is allowed to connect to the server. Authorization occurs after authentication is successful.

You can enable authorization plug-ins to control the access to content by authenticated users. If you enable an authorization plug-in, with one exception, you must also enable an authentication plug-in for unicast clients to be able to access your publishing points. The exception is the WMS IP Address Authorization plug-in, which does not require an authentication plug-in to authenticate a unicast client.

Note that for multicast streaming with Windows Media Services 9 Series, clients do not establish a connection, and therefore authentication and authorization do not apply for multicasting. (Multicast streaming is only available if you have the 32-bit version of Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.)

During the authorization process, the server checks the user against the set of access permissions for the resource to which the user is trying to connect.

For more information about authorization, see the list in "Related Documentation and Links," later in this section.

Firewall Information for Windows Media Services

This subsection provides information about configuring firewalls (or proxy servers or both) for use with Windows Media Services. For more information about firewalls, see the sources in "Related Documentation and Links," later in this section.

You can configure each control protocol plug-in (Microsoft Media Server [MMS] protocol, Real Time Streaming Protocol [RTSP], and HTTP) to use a specific port to make firewall configuration easier. If opening ports on your firewall is not possible, Windows Media Services can stream content by using the HTTP protocol over port 80.

Note: Using HTTP to stream content is disabled by default.

Windows Media Services was formerly known as Microsoft NetShow Services; some firewalls have a preconfigured NetShow setting, which may work for Windows Media Services.

Configuring firewalls for Unicast Streaming

To configure a firewall for unicast streaming, you must open the ports on the firewall that are required for the connection protocols enabled on your server. If you are streaming content by using either the Microsoft Media Server (MMS) protocol or the Real Time Streaming Protocol (RTSP), you need to support both the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).

To enable Windows Media Player and other clients to use the HTTP, RTSP, or MMS protocols to connect to a Windows Media server that is behind a firewall, open the ports described in the following table.

Ports to open when clients are connecting using HTTP, RTSP, or MMS protocols

PortsDescription

In: TCP on ports 80, 554, and 1755

The Windows Media server uses the TCP In ports to accept an incoming HTTP connection (port 80), RTSP connection (port 554), or MMS connection (port 1755) from Windows Media Player and other clients.

In: UDP on ports 1755 and 5005

The Windows Media server uses UDP In port 1755 to receive resend requests from clients streaming by using MMSU (MMS used with UDP), and UDP In port 5005 to receive resend requests from clients streaming by using RTSPU (RTSP used with UDP).

Out: UDP on ports 1024 through 5000.

The Windows Media server uses UDP Out ports 1024 through 5000 to send data to Windows Media Player and other clients.

To enable a distribution server that is behind a firewall to use the HTTP or RTSP protocols to stream content that originates from a server outside the firewall, open the ports described in the following table.

Ports to open when a distribution server is behind a firewall and uses HTTP or RTSP to stream content that originates from a server outside the firewall

PortsDescription

In: UDP on ports 1024 through 5000

The Windows Media server uses UDP In ports 1024 through 5000 to receive data from another server.

Out: TCP on ports 80 and 554

The Windows Media server uses the TCP Out ports to establish an HTTP connection (port 80) or RTSP connection (port 554) to another server or encoder.

Out: UDP on port 5005

When RTSPU distribution is used, the Windows Media server uses UDP Out port 5005 to send resend requests to another server.

Note: If it is not possible to open all the UDP Out ports on a firewall, UDP packets sent by a Windows Media server may be blocked by the firewall and may not be able to reach the clients on the other side of the firewall. If this is the case, clients may still be able to receive a stream by automatically rolling over to a TCP-based protocol, such as HTTP or RTSPT (RTSP used with TCP). However, the rollover will cause a delay for the client receiving the stream.

If you know you will not be able to support UDP streaming through a firewall, you can decrease the rollover delay by clearing the UDP check box in the Unicast Data Writer plug-in Properties dialog box. For more information, see the Help for Windows Media Services. A procedure for viewing Help is included in "Procedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents," later in this section.

Configuring Firewalls for Multicast Streaming

If you distribute content using multicast streaming, network traffic is directed through the standard Class D IP addresses (224.0.0.0 through 239.255.255.255). For multicast streaming, you must enable multicast-forwarding on your network. The Internet Group Management Protocol (IGMP), supported by Windows Media Services, ensures that multicast traffic passes through your network only when a player requests a multicast connection, so that enabling multicasting on your routers does not flood your network.

The following firewall configuration enables multicast packets to traverse your firewall:

IP multicast address range: 224.0.0.1 through 239.255.255.255

To enable IP multicasting, you must allow packets sent to the standard IP multicast address range to come through your firewall. This IP multicast address range must be enabled on both the player and server sides, as well as on every router in between.

Enabling Access to an Encoder Outside a Firewall

Encoders use HTTP to connect to a server running Windows Media Services. By default, Windows Media Encoder uses port 8080 for HTTP connections; however, the encoder administrator can specify a different port. If a different port is used, you must specify the same port when you identify the encoder connection URL for the Windows Media server and when opening the port on your firewall.

The following example of a firewall configuration allows a computer running Windows Media Encoder outside a firewall to access a Windows Media server behind a firewall by using HTTP:

In/Out: Transmission Control Protocol (TCP) on port 8080.

(The In port is the port through which the server accepts connections. The Out port is the port through which the server sends data to clients.)

Answer File Entries and Registry Keys for Windows Media Services Subcomponents

For reference purposes, the following table shows the syntax for answer file entries associated with Windows Media Services in the Windows Server 2003 family. The table also shows the corresponding registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular subcomponent is installed on a particular server. A registry key value of 0x00000000 means the subcomponent is not installed, and a value of 0x00000001 means the subcomponent is installed.

Note: For more details about answer-file entries related to Windows Media Services subcomponents, including information about dependencies between the entries, see the references listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

Answer file entries and registry keys for Windows Media Services subcomponents for the Windows Server 2003 family

Windows Media Services subcomponentAnswer file entry (in the [Components] section)Registry key (for use in a script that checks whether a subcomponent is installed): 0x00000000 means it is not installed; 0x00000001 mean it is installed

Core Windows Media server components

wms = On | Off

No key available (check for subcomponents by using other keys)

Windows Media Services Administrator for the Web

wms_admin_asp = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\wms_admin_asp

Windows Media Services MMC snap-in

wms_admin_mmc = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\wms_admin_mmc

Multicast and Advertisement Logging Agent components

wms_isapi = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\wms_isapi

Windows Media Services server components

wms_server = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents\wms_server

Procedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents

The following procedures explain how to:

Add or remove Windows Media Services on a computer after setup is complete for a product in the Windows Server 2003 family.

View the Help that comes with Windows Media Services.

Prevent the installation of Windows Media Services during unattended installation by using an answer file.

Specify answer file entries that control whether Windows Media Services subcomponents are included during unattended installation.

Note: Windows Media Services is included in Windows Server 2003, Standard Edition, the 32-bit version of Windows Server 2003, Enterprise Edition, and the 32-bit version of Windows Server 2003, Datacenter Edition. Windows Media Services is not included in Windows Server 2003, Web Edition or in the 64-bit versions of the Windows Server 2003 family.

In the 32-bit versions of Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition, Windows Media Services delivers advanced streaming functionality, such as multicasting, wireless network support, Internet authentication, server plug-ins, and Cache/Proxy APIs.

To Add or Remove Windows Media Services on an Individual Computer After Setup is Complete

1.

Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

2.

Double-click Add or Remove Programs.

3.

Click Add/Remove Windows Components (on the left).

4.

Select Windows Media Services.

5.

Perform one of the following steps:

If Windows Media Services is installed and you want to remove it, clear the check box for Windows Media Services and complete the wizard.

If Windows Media Services is not installed and you want to add it, select the check box for Windows Media Services and complete the wizard.

If you want to view the list of Windows Media Services subcomponents, after selecting Windows Media Services, click Details.

To View the Help that Comes with Windows Media Services

1.

Make sure that Windows Media Services is installed by using the previous procedure.

2.

Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

3.

Double-click Administrative Tools and then click Windows Media Services.

4.

Click the Help menu and then click Help Topics.

To Specify Answer File Entries that Control Whether Windows Media Services Subcomponents are Included During Unattended Installation

1.

Using the methods you prefer for unattended installation or remote installation, create an answer file.

2.

In the [Components] section of the answer file, add the appropriate entries listed in the table in "Answer File Entries and Registry Keys for Windows Media Services Subcomponents," earlier in this section. Ensure that the entries specify Off for components you do not want to install and On for components you want to install.

If no Windows Media Services subcomponents are listed in an answer file for unattended installation of a Windows Server 2003 family operating system, these components are not installed by default.

Note: For more information about unattended installation, and for details about dependencies between answer-file entries related to Windows Media Services subcomponents, see the references listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

To Prevent the Installation of Windows Media Services During Unattended Installation by Using an Answer File

1.

Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment."

2.

In the [Components] section of the answer file, ensure that there are no entries for the subcomponents listed in the table in "Answer File Entries and Registry Keys for Windows Media Services Subcomponents," earlier in this section. If you want to list any of these subcomponents, ensure that the entries specify Off.

If no Windows Media Services subcomponents are listed in an answer file for unattended installation of a Windows Server 2003 family operating system, these subcomponents are not installed by default.

Related Documentation and Links

The following list of resources can help you as you plan or modify your implementation of Windows Media Services and Windows Media Player in your organization:

For technical information about Windows Media, see Windows Media Technical Resources for the Enterprise, on the Microsoft Web site at:

www.microsoft.com/windows/windowsmedia/forpros/enterprise/techresources/default.aspx

A variety of technical resources are available on the preceding Web site, including:

The Windows Media 9 Series Deployment Guide.

The Enterprise Deployment Pack for Windows Media Player 9 Series, a downloadable packaging tool that simplifies the configuration, deployment, and management of Windows Media Player 9 Series.

Other technical articles.

For information about deploying over an intranet, see Deploying Windows Media 9 Series over an Intranet, on the Microsoft Web site at:

www.microsoft.com/Windows/WindowsMedia/howto/articles/intranet.aspx

For conceptual and how-to information about using Windows Media Services, including information about authentication, authorization, ports, and firewall settings, see the Help that comes with Windows Media Services. For information about installing Windows Media Services and viewing Help, see "Procedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents," earlier in this section.

For general information about features, and information about ports and firewall or proxy settings, search for the latest information on the Windows Media Web site at:

www.microsoft.com/windows/windowsmedia/

For information about Windows Media Services 9 Series, for example, information about upgrading, optimizing, features, and logging, see the following page on the Windows Media Web site:

www.microsoft.com/windows/windowsmedia/forpros/server/server.aspx

For documentation on the distribution of content, see the Windows Media Web site at:

http://www.microsoft.com/windows/windowsmedia/forpros/broadcast.aspx

For information about using Windows Media run-time components in a custom application, see "Redistributing Windows Media 9 Series Components," on the Microsoft Developer Network Web site at:

msdn.microsoft.com/library/en-us/dnwmt/html/RedisWMedC.asp

For information about Windows Media Services Software Development Kits (SDKs), see the Microsoft Developer Network Web site at:

msdn.microsoft.com/downloads/list/winmedia.asp

Printed Reference

Birney, B., Tricia Gill, and members of the Microsoft Windows Media Team. Microsoft Windows Media Resource Kit. Redmond, WA: Microsoft Press, 2003.

You can read a sample chapter and view information about the Microsoft Windows Media Resource Kit on the MS Press Web site at:

www.microsoft.com/MSPress/books/6280.asp


Top of pageTop of pagePrevious25 of 36Next
**
In This Article
Introduction to Internet Communication
Activation and Registration for a New Installation or an Upgrade
Application Help
Certificate Support and the Update Root Certificates Component
Device Manager
Driver Protection
Dynamic Update
Event Viewer
File Association Web Service
Help and Support Center: The Headlines and Online Search Features
HyperTerminal
Internet Explorer 6.0
Internet Information Services 6.0
Internet Protocol Version 6 (IPv6)
NetMeeting
Online Device Help
Outlook Express 6.0 (Included in Internet Explorer 6.0)
Plug and Play
Program Compatibility Wizard
Remote Assistance
Search Companion
Terminal Server Licensing
Windows Error Reporting
Windows Media Player
Windows Media Services
Windows Time Service
Windows Update and Automatic Updates
Appendix A: Resources for Learning About Automated Installation and Deployment
Appendix B: Resources for Learning About Group Policy
Appendix C: Message Queuing
Appendix D: Connection Manager
Appendix E: Passport Manager Administration
Appendix F: Internet Connection Sharing and Related Networking Features
Appendix G: Add Network Place Wizard
Appendix H: New Connection Wizard
Additional Resources
**