Level Explanation

Delegate The client's identity is established by the called component, and it can use the full identity to access resources available to the client on the same server on which the called component is running. Additionally, the called component can use this identity to pass to another component running on any other computer.

After setting the Default Properties, you can set the default security properties (Figure 8.16).To do so:

1. Select the Default Security tab.You will see two frames: Default Access Permissions and Default Launch Permissions. Both have an Edit Default... button.

2. Press Edit Default. in the Default Access Permissions frame. A dialog called Registry Value Permissions is shown, indicating that the default access permissions values are saved in the Registry. By default, the list box will be empty. By pressing Add, you can add users and groups to the list, and select the type of access. The values are AllowDefaultAccessPermission or DenyDefaultAccessPermission.

3. For now, leave the list empty, and press Cancel.This means that the COM+ application needs to explicitly define the user's access by using roles (discussed in the section, COM+ Application Security Settings).

4. Press Edit Default. in the Default Launch Permissions frame. Again, a Registry Value Permissions dialog appears.You will probably see a number of entries in the list with the value

AllowDefaultLaunchPermission. Among these are the groups INTERACTIVE and SYSTEM. By default, a COM+ application will have one of these two groups as the user who is allowed to launch the application. If you are sure that none of your COM+ applications that run on the server where BizTalk Server is installed need to have interaction with the desktop, it is a good idea to set INTERACTIVE to DenyDefaultLaunchPermission. Otherwise, leave it as is, and press Cancel.

Figure 8.16 The Default Security Tab in the My Computer Properties Window

Figure 8.16 The Default Security Tab in the My Computer Properties Window

You should also check the Default Protocols tab that lists the protocols that can be used in DCOM. It should only list Connection-oriented TCP/IP. Since we chose IP Security, using any other protocol will result in unsecured communication. Enforcing TCP/IP as the one and only protocol for DCOM will prevent this. Also, make sure that on the MSDTC tab, the Client Network Protocol Configuration is set to TCP/IP.

COM+ Application Security Settings

Setting the security machine-wide is a safety net in case you forget certain security settings on individual COM+ applications. However, this is certainly not the optimal security setting, and you should take care that the security settings for each COM+ application within your BizTalk application are set with care. In this section, the COM+ application XLANG Scheduler is used to show the different security options. Figure 8.17 shows the partially expanded structure of the XLANG Scheduler application.

Figure 8.17 Expanded XLANG Scheduler Application in MMC

Figure 8.17 Expanded XLANG Scheduler Application in MMC

Let's see what these settings are and how you can set them:

1. Open the Microsoft Management Console (MMC) and add the Component Services snap-in.

2. Expand Component Services | Computers | My Computer | COM+ Applications.

3. Expand XLANG Scheduler. At this point, you see under the XLANG Scheduler two folders: Components and Roles. Before determining what security settings are available within these two folders, we must first look into the security properties of the XLANG Scheduler application.

4. Right-click the XLANG Scheduler application, and select Properties. The XLANG Scheduler Properties dialog appears. As you will notice by clicking the tabs, you cannot change any settings.These are locked to prevent them from being changed accidentally, which might result in the breaking down of running XLANG Scheduler components. Another thing to notice is the last tab, XLANG.This is no coincidence! If you create a new COM+ application; you will see that the same XLANG tab will appear in the Properties window. It is there to enable another

COM+ application to host XLANG schedule instances, by making an ODBC connection to an Orchestration Persistence database.You will find more information on this in the section Database Security. Now, before you can make changes to the Properties settings, you need to "unlock" the settings.

5. Select the Advanced tab, uncheck Disable Changes in the Permission frame, and click OK.

6. A warning dialog appears.You can answer by pressing OK, and the Properties dialog will close.

7. Reopen the XLANG Scheduler Properties dialog.You will see that all properties can now be changed.

8. Select the Security tab (Figure 8.18).The Security tab is comprised of three parts: Authorization, Security level, and Authentication/ Impersonation.

Figure 8.18 The Security Tab in the XLANG Scheduler Properties Window

Figure 8.18 The Security Tab in the XLANG Scheduler Properties Window

For authorization, you can check the option Enforce access checks for this application. By doing so, you ensure that the client's identity is checked during access and launching of the application. If no specific user is specified at the COM+ application level, the access list you defined at the My Computer level is used. By default, you should check this option for all COM+ applications in BizTalk Server.

Security-level settings will only be used if you have the Authorization option checked, and are used for incoming calls.There are two possible settings:

■ Perform access checks only at process level. This means that only calls coming from another COM+ application are subject to access checks. Calls within a COM+ application are regarded as safe.The security context will not be part of the context in which the component is running.Therefore, if the caller is allowed to access the COM+ application, access is granted without any further checks.

■ Perform access checks at the process and component level. This means that calls within a COM+ application are checked. In this case, the security context of the caller will be part of the component context. Select this option for the BizTalk Server COM+ applications.

Authentication and impersonation levels only have leverage for outgoing calls. Refer back to Table 8.1 for authentication-level values and Table 8.2 for impersonation-level values. Select Packet Integrity for the authentication level. Since you will use IPSec for communication between servers, encryption of the packet is not necessary. However, this assumes that the server is safe enough that data in calls within the server do not need to be encrypted. Select Impersonate for Impersonation level. Only use Delegate in an environment in which closely linked BizTalk COM+ applications run on different servers.

The Identity tab enables you to select the account that launches the COM+ application, and in which context the application will run. Here is where the Service Account comes into play. In the Account frame, you can select:

■ Interactive user The user who launches the COM+ application is used for the context in which the application will run. If the user logs out, the COM+ application is automatically shut down.When you select this option, the user list of the Default Launch Permissions is used.

■ This user An existing user account on the server or within the Active Directory can be selected.You should always create this option, so the COM+ application can run even when no user is logged on. In our case, you should select the service account you created for the XLANG Scheduler. Remember to make the following changes to the account (see the section Server Configurations for more information):

■ Enable Act as part of the operating system

■ Disable Deny logon as a service

■ Disable Shutdown the system

■ Enable User cannot change password

■ Enable Account never expires

Select This user, since this is our desired option, and then check that it is working correctly. If you enter the incorrect password, the COM+ application will not start.

The Activation tab enables you to determine "where" your BizTalk COM+ application is started. Always select Server application, whereby the COM+ application is run as a separate process on the server, using the context of the service account to run.This option ensures that the COM+ application cannot be torn down by any code execution in the same process the COM+ application is running in, and vice versa. Additionally, if a rogue user seizes control of the application, access to the system is limited to the service account.

Was this article helpful?

0 0

Post a comment