You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After a while of using a basic Jellyfin install I've re-installed Jellyfin as a service on Windows 10. To have more granular control of the various services I have running and facilitate following the Principal of Least Privilege and Defense in Depth, using lusrmgr.msc I created a separate local user account for the Jellyfin service to run under and changed the Log On > This account to use it rather than the default suggestions of NETWORK SERVICE or SYSTEM (SYSTEM being the worst possible option in my opinion).
I should say that I only use Jellyfin on the LAN so there isn't as much of a concern around attacks over the internet. It's only used personally and by trusted individuals. The port Jellyfin is listening on is not routable from the internet and in the event of access from outside the LAN I'd use something like Wireguard or a SSH tunnel for secure access. I prefer this method to some kind of reverse proxy and I trust those methods more over a solution that uses SSL certificates.
I've used a secure password for the Jellyfin user account. Under the General tab of the properties for the account I've set 'User cannot change password' and 'Password never expires'. The account shouldn't have any sign-ins to it anyway but setting these mitigates against it being changed somehow without my knowledge if access is gained. Under the Member Of tab I've removed all group memberships - It only had a membership to the 'Users' group by default - so that it is no longer a member of any groups and no longer in the 'Users' group. This should blanket limit what data and resources the account can access and generally limit what it can do.
Using the Local Group Policy Editor (gpedit.msc) under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment I've modified the default security policies.
I explicitly denied log on rights through every method except log on as a service, which is required for the Jellyfin account to log on for the purpose of running the Jellyfin server service. To restrict the accounts logon access to the minimum required I added the Jellyfin account to the following policies:
Deny access to this computer from the network
Deny log on as a batch job
Deny log on locally
Deny log on through Remote Desktop Services
The Jellyfin account is included in the 'Log on as a service' policy which was added automatically when setting the Jellyfin Server Service to log on as the Jellyfin account. This one is required for the service to start under this account.
Most of the paths point to C:\ProgramData\Jellyfin* for the Folder C:\ProgramData\Jellyfin under advanced security settings I added a new allow permission entry applying to 'This folder, subfolders and files' with read and right access under basic permissions. Then I switched to advanced permissions to further configure the permissions on a more granular level. I revoked 'Traverse folder / execute file', which allows a user to access a subfolder even if they do not have permission to access the parent folder, as the objects within the Jellyfin folder inherit permissions. Although Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder I didn't want to leave any scope for file execution within that folder.
I granted the permissions Delete subfolder and files and Delete. C:\ProgramData\Jellyfin contains the 'transcodes' folder as well as 'metadata and various other folders that will fill up during use and from which Jellyfin Server may need to clean up at times.
For C:\ProgramData\Jellyfin the allow permissions checked for the Jellyfin user account ended up being the following:
List folder / read Data
Read Attributes
Read extended attributes
Create files / write data
Create folders / Append data
Write Attributes
Write Extended attributes
Delete subfolders and files
Delete
Read permissions
The rest of the permissions were unchecked. For the folder C:\ProgramData\Jellyfin\Server\log I created an explicit deny permission entry for the Jellyfin user account which applies to This folder, subfolders and files. Under the advanced permissions I checked 'Delete subfolders and files' and 'Delete' ensuring everything else was checked. Deny entries take precedence over allow entries on Windows so this should explicitly deny Jellyfin from deleting any logs which should help mitigate destruction of log data in the event Jellyfin or the Jellyfin local user account it is running under were compromised. Ideally I'd also like to deny 'Create files / write data' while still allowing 'Create folders / append data' which, to my understanding, would allow Jellyfin to append data to existing files but not overwrite the existing data that is there to destroy existing log data. As Jellyfin creates new files for logs frequently such as the FFmpeg.Transcode logs I don't think this would work with the way Jellyfin stores log data currently.
For the path C:\Program Files\Jellyfin\Server\jellyfin-web I've not set any permissions yet. I don't believe the Jellyfin user account and consequently Jellyfin should have access to this folder and child objects but everything seems to be working so far. This is one I want to look at more in detail soon.
For the library folders containing the media I didn't want Jellyfin to be able to write or modify data at all. Less so from a security standpoint and more about preserving the original state of the media without any potential modifications to the data. For the library settings within Jellyfin I have 'Metadata savers > Nfo', 'Save artwork into media folders' and 'Save subtitles into media folders' unchecked but I wanted to take absolutely no chances in the event these settings changed or I forgot to set them.
I added an allow permission entry for the Jellyfin user account applying to 'This folder, subfolders and files' with read checked in the basic permissions. Under advanced permissions this selects 'List folder / read data', 'Read attributes', 'Read extended attributes' and 'Read permissions' which I was happy with so I saved the entry with these permissions allowed. I added a deny permission entry for the Jellyfin user account applying to 'This folder, subfolders and files' with 'Write' checked under basic permissions which selects 'Create files / write data', 'Create folders / append data', 'Write attributes and 'Write extended attributes' under advanced. I additionally selected to explicitly deny 'Delete subfolders and files', 'Delete', 'Change permissions' and 'Take ownership'.
There are some good explanations of what the various NTFS Security Permissions do here and here.
Everything seems to be working fine so far. This is only the start but I'm looking at further locking things down to ensure only the minimum required for Jellyfin to function is permitted. This should reduce the attack surface and hopefully minimise the impact of a security incident if one were to occur. I want to finish up getting the file and folder permissions right then an area I'd like to focus on next is auditing, both in terms of logging log in activity to the Jellyfin local user account as well as logging the network connections to the Jellyfin server with Windows Firewall logging.
If anyone has insight into on any other areas of focus or if permissions can be even less permissive without breaking Jellyfin it would be appreciated.
I'll hopefully keep this thread updated as I work through more of this.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
After a while of using a basic Jellyfin install I've re-installed Jellyfin as a service on Windows 10. To have more granular control of the various services I have running and facilitate following the Principal of Least Privilege and Defense in Depth, using lusrmgr.msc I created a separate local user account for the Jellyfin service to run under and changed the Log On > This account to use it rather than the default suggestions of NETWORK SERVICE or SYSTEM (SYSTEM being the worst possible option in my opinion).
I should say that I only use Jellyfin on the LAN so there isn't as much of a concern around attacks over the internet. It's only used personally and by trusted individuals. The port Jellyfin is listening on is not routable from the internet and in the event of access from outside the LAN I'd use something like Wireguard or a SSH tunnel for secure access. I prefer this method to some kind of reverse proxy and I trust those methods more over a solution that uses SSL certificates.
I've used a secure password for the Jellyfin user account. Under the General tab of the properties for the account I've set 'User cannot change password' and 'Password never expires'. The account shouldn't have any sign-ins to it anyway but setting these mitigates against it being changed somehow without my knowledge if access is gained. Under the Member Of tab I've removed all group memberships - It only had a membership to the 'Users' group by default - so that it is no longer a member of any groups and no longer in the 'Users' group. This should blanket limit what data and resources the account can access and generally limit what it can do.
Using the Local Group Policy Editor (gpedit.msc) under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment I've modified the default security policies.
I explicitly denied log on rights through every method except log on as a service, which is required for the Jellyfin account to log on for the purpose of running the Jellyfin server service. To restrict the accounts logon access to the minimum required I added the Jellyfin account to the following policies:
Deny access to this computer from the network
Deny log on as a batch job
Deny log on locally
Deny log on through Remote Desktop Services
The Jellyfin account is included in the 'Log on as a service' policy which was added automatically when setting the Jellyfin Server Service to log on as the Jellyfin account. This one is required for the service to start under this account.
Most of the paths point to C:\ProgramData\Jellyfin* for the Folder C:\ProgramData\Jellyfin under advanced security settings I added a new allow permission entry applying to 'This folder, subfolders and files' with read and right access under basic permissions. Then I switched to advanced permissions to further configure the permissions on a more granular level. I revoked 'Traverse folder / execute file', which allows a user to access a subfolder even if they do not have permission to access the parent folder, as the objects within the Jellyfin folder inherit permissions. Although Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder I didn't want to leave any scope for file execution within that folder.
I granted the permissions Delete subfolder and files and Delete. C:\ProgramData\Jellyfin contains the 'transcodes' folder as well as 'metadata and various other folders that will fill up during use and from which Jellyfin Server may need to clean up at times.
For C:\ProgramData\Jellyfin the allow permissions checked for the Jellyfin user account ended up being the following:
List folder / read Data
Read Attributes
Read extended attributes
Create files / write data
Create folders / Append data
Write Attributes
Write Extended attributes
Delete subfolders and files
Delete
Read permissions
The rest of the permissions were unchecked. For the folder C:\ProgramData\Jellyfin\Server\log I created an explicit deny permission entry for the Jellyfin user account which applies to This folder, subfolders and files. Under the advanced permissions I checked 'Delete subfolders and files' and 'Delete' ensuring everything else was checked. Deny entries take precedence over allow entries on Windows so this should explicitly deny Jellyfin from deleting any logs which should help mitigate destruction of log data in the event Jellyfin or the Jellyfin local user account it is running under were compromised. Ideally I'd also like to deny 'Create files / write data' while still allowing 'Create folders / append data' which, to my understanding, would allow Jellyfin to append data to existing files but not overwrite the existing data that is there to destroy existing log data. As Jellyfin creates new files for logs frequently such as the FFmpeg.Transcode logs I don't think this would work with the way Jellyfin stores log data currently.
For the path C:\Program Files\Jellyfin\Server\jellyfin-web I've not set any permissions yet. I don't believe the Jellyfin user account and consequently Jellyfin should have access to this folder and child objects but everything seems to be working so far. This is one I want to look at more in detail soon.
For the library folders containing the media I didn't want Jellyfin to be able to write or modify data at all. Less so from a security standpoint and more about preserving the original state of the media without any potential modifications to the data. For the library settings within Jellyfin I have 'Metadata savers > Nfo', 'Save artwork into media folders' and 'Save subtitles into media folders' unchecked but I wanted to take absolutely no chances in the event these settings changed or I forgot to set them.
I added an allow permission entry for the Jellyfin user account applying to 'This folder, subfolders and files' with read checked in the basic permissions. Under advanced permissions this selects 'List folder / read data', 'Read attributes', 'Read extended attributes' and 'Read permissions' which I was happy with so I saved the entry with these permissions allowed. I added a deny permission entry for the Jellyfin user account applying to 'This folder, subfolders and files' with 'Write' checked under basic permissions which selects 'Create files / write data', 'Create folders / append data', 'Write attributes and 'Write extended attributes' under advanced. I additionally selected to explicitly deny 'Delete subfolders and files', 'Delete', 'Change permissions' and 'Take ownership'.
There are some good explanations of what the various NTFS Security Permissions do here and here.
Everything seems to be working fine so far. This is only the start but I'm looking at further locking things down to ensure only the minimum required for Jellyfin to function is permitted. This should reduce the attack surface and hopefully minimise the impact of a security incident if one were to occur. I want to finish up getting the file and folder permissions right then an area I'd like to focus on next is auditing, both in terms of logging log in activity to the Jellyfin local user account as well as logging the network connections to the Jellyfin server with Windows Firewall logging.
If anyone has insight into on any other areas of focus or if permissions can be even less permissive without breaking Jellyfin it would be appreciated.
I'll hopefully keep this thread updated as I work through more of this.
Thank you.
Beta Was this translation helpful? Give feedback.
All reactions