Setting up security on EventStore

Just a few questions about new security features of EventStore. I couldn’t find answers to them in Security doc.

Basically I’m setting up an EventStore server in Windows Azure and wanted to make it available to a few other azure virtual machines in different subscriptions based on user/pass credentials. Ideally some credentials would have really limited access to some streams.

  1. How do we secure Web UI (2113)? Currently I can connect to this UI and stop server or view information.
  2. How do we prevent unauthorised users from creating streams over TCP? Currently I can connect as non-authenticated user and create a random stream (and start appending to it)?

Best regards,


Any news on this one?. The two scenarios still seem to be possible.


Both were fixed, the admin operations require authorisation, and default ACLs (see docs) allow preventing stream creation