Microsoft KB Archive/275849

= How to help secure the BizTalk Server Messaging service =

Article ID: 275849

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft BizTalk Server 2002 Standard Edition
 * Microsoft BizTalk Server 2000 Standard Edition

-



This article was previously published under Q275849



INTRODUCTION
You cannot secure a default installation of Microsoft BizTalk Server because the BizTalk Server state engine does not validate its callers. Additionally, the BizTalk Server state engine default configuration must run under the context of an interactive user. This article describes how to help secure the BizTalk Server Messaging service.



Specify a service account instead of the interactive user identity
It is usually better to configure the BizTalk Messaging service to run under the context of a particular user identity, such as a service account, instead of under the interactive user identity for the following reasons:
 * The server can run even when no one is logged on to the computer on which the application is running. If the identity is set to the interactive user identity, the application only runs when a user is logged on.
 * A particular user identity is more secure than the interactive user identity because only someone who has the specific user's password can assign the identity to the application. If the identity is set to the interactive user identity, the application runs under the identity of the user who is logged on, without that user's knowledge or consent. For example, if the application is running on a computer while an administrator is logged on, the application runs under the administrator's identity. Therefore, the application can potentially make calls on behalf of clients.

For more information about how to create a BizTalk Server service account, see the &quot;Create a service account&quot; topic in the BizTalk Server Help.

Modify the BizTalk Server Interchange Application COM+ component to control who submits work items
When you modify the BizTalk Server Interchange Application COM+ component, you can control which users can submit work items to BizTalk Server 2000. Because the BizTalk Server Interchange Application is a COM+ application, it uses several security configuration properties such as the following:
 * Authentication level
 * Impersonation level
 * Access permissions
 * Launch permissions
 * Configuration permissions

To control which users can submit work items, you must first add a new role to the BizTalk Server Interchange Application, and then associate that role with the Submit method and with the SubmitSync method.

Add a new role to the BizTalk Server Interchange Application

 * 1) Click Start, click Run, type \WINDOWS\system32\Com\comexp.msc, and then click OK.
 * 2) Expand the following nodes:
 * 3) * Component Services
 * 4) * My Computer
 * 5) * COM+ Applications
 * 6) Right-click BizTalk Server Interchange Application, and then click Properties.
 * 7) On the Advanced tab, click to clear the Disable changes check box under Permissions, and then click OK.
 * 8) Right-click BizTalk Server Interchange Application, and then click Properties again.
 * 9) On the Security tab, click to select the Enforce access checks for this application check box under Authorization.
 * 10) Under Security level, click Perform access checks at the process and component level. Security property will be included on the object context. The COM+ security call context is available, and then click OK.
 * 11) In the dialog box that appears, click Yes.
 * 12) Under BizTalk Server Interchange Application, right-click Roles, click New, and then click Role.
 * 13) In the Roles dialog box, type a name for the role. For example, type Submit . Then click OK.
 * 14) In the dialog box that appears, click Yes.
 * 15) Expand the role that you created. Right-click Users, click New, and then click User.
 * 16) In the Select Users or Groups dialog box, type the names of any user accounts and groups that you want to add to this role, and then click OK.

Note An icon appears in the Users folder for each user account or for each group that you assign to the role. The new role membership takes effect the next time that the application is started.

Associate the Submit method and the SubmitSync method with the new role
Note You must create a new role for the BizTalk Server Interchange Application before you can associate the Submit method and the SubmitSync method with the new role.
 * 1) Click Start, click Run, type \WINDOWS\system32\Com\comexp.msc, and then click OK.
 * 2) Expand the following nodes:
 * 3) * Component Services
 * 4) * My Computer
 * 5) * COM+ Applications
 * 6) * BizTalk Server Interchange Application
 * 7) * Components
 * 8) * BizTalk.Interchange.1
 * 9) * Interfaces
 * 10) * IInterchange
 * 11) * Methods
 * 12) Right-click Submit, and then click Properties.
 * 13) Under Roles explicitly set for selected item(s) on the Security tab, select the check box for the new role that you created earlier.
 * 14) Right-click SubmitSync, and then click Properties.
 * 15) Under Roles explicitly set for selected item(s) on the Security tab, select the check box for the new role that you created earlier.

Keywords: kbinfo kbpending KB275849

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.