Network Protection

PC Repair Tools

Advanced Registry Cleaner PC Diagnosis and Repair

Get Instant Access

The BizTalk infrastructure can be extensive if you tie it to the Internet, integrate it with Microsoft Commerce Server or another Microsoft .Net Server product, and link it to your back office where your ERP system is residing. Data is floating all over the place, and by default available for everybody's eyes. Network sniffers are available in abundance, so you should take care that valuable data is kept hidden for prying eyes.

The best, if not only, way to do this is by using data encryption and secured communication.Within the Windows 2000 environment, you can use Secured Socket Layer (SSL) or Internet Protocol Security (IPSec).


Although SSL 3.0 is still widely used, it has been succeeded by Transport Layer Security (TLS), which is described in RFC-2246 ( and is supported by Windows 2000. Windows 2000 also comes with Service Pack 2 standard with 128-bit encryption. To check what the encryption level of your system is, point your Web browser to

You will use SSL to go between the IIS Server and the clients that want to contact the Web Server and it should be enforced for every user that wants to access the IIS Server, not only the ones that access the IIS Server from outside your network.

For most SSL applications, it is used to protect the client, not the server. From your standpoint, you also want conformation that the client is trustworthy, so the client, actually the user, needs a certificate too. Remember that the IIS Server forces the negotiation of a secured channel, but the client decides what type of encryption is going to be used.

You can select the security protocols in the Web browser (Figure 8.4). Go to Tools | Internet Options | Advanced, and scroll down to the security section.

Figure 8.4 Selecting the Security Protocols in Internet Explorer 5.5

Figure 8.4 Selecting the Security Protocols in Internet Explorer 5.5

server, so IIS is unable to use them. In case the client and server cannot agree on a common secure protocol, the server will deny access. As noted earlier, direct editing in the Registry is not recommended; however, in this situation, we are left with no other choice.

To disable one or more of the security protocols, you need to do the following:

1. Run regedt32.exe, through Start | Run. Do not use regedit.exe, since you are not able to set the correct values.

2. After the Registry Editor has started, open the following Registry folder: HKEY_Local_Machine\System\ CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols You will see five folders:

■ Multi-Protocol Unified Hello

3. Let's suppose you want to disable the PCT 1.0 protocol, so open the PCT 1.0\Server folder.

4. Now you need to add the binary value 00 00 00 00. You do this by Edit | Add Value... For the Value Name, enter Enable, and for the Data Type, choose REG_BINARY, and then press OK.

5. Now the Binary Editor opens. Enter the value 00000000, and press OK.

6. Do the same for all the server-side protocols you want to disable.

7. When you are finished, you need to restart the server to activate the changes.


Remember to document these changes, since Registry modifications are not traceable.

It is clearly not advisable to let the client decide what the level of security is. However, the HTTP-based security only covers the communication between the IIS server and the clients, but not between the servers in your BizTalk infrastructure.

This is where the use of IPSec comes in, an open standard described in RFC-2401 ( IPSec comes in two flavors: Authentication Header (AH; RFC-2402) and Encapsulating Security Payload (ESP; RFC-2406).The difference is clearly stated in the RFC-2401:

■ The IP Authentication Header (AH) provides connectionless integrity, data origin authentication, and an optional anti-replay service.

■ The Encapsulating Security Payload (ESP) protocol may provide confidentiality (encryption), and limited traffic flow confidentiality. It also may provide connectionless integrity, data origin authentication, and an anti-replay service. (One or the other set of these security services must be applied whenever ESP is invoked.)

■ Both AH and ESP are vehicles for access control, based on the distribution of cryptographic keys and the management of traffic flows relative to these security protocols.


Within Windows 2000, AH is hyped as medium security, and ESP

as high.

Setting up an IPSec connection starts a negotiation regarding the authentication methods and encryption algorithm, as described in the IKE/Oakley standard (RFCs 2409 and 2412). Before activating IPSec on your Windows 2000 Server network interface (as described in the next section), you should consider the following issues:

■ Depending on the amount of communication over the network, which can be substantial for a distributed BizTalk environment, the bandwidth utilization can jump as much as 10 percent. Make sure there is enough bandwidth available before making all IP communication secure.

■ Depending on the amount of network communication a server has, encryption/decryption algorithms can increase a CPU's load by around 15 percent. If the server is not equipped with sufficient CPU power, it will slow the server.

■ The more secure the encryption standard is, the more CPU power it takes. As you will understand, there is a significant difference between using DES or its more secure "brother,"Triple DES (3DES). Make your choice depending on the risks you run that your encryption keys are subject to crypto-analysts (that is the nice word for crypto-criminals).

■ If you really want to go for the strongest possible encryption, it would be a smart decision to use hardware-embedded encryption and not the software version (such as that which is activated in Windows 2000). By equipping your servers with NICs that have embedded 3DES/DES encryption, encryption will be done at wire speed, and will not claim any server CPU and memory resources.To get an idea of what is available, visit the Red Creek Communications site (

IPSec Policies

You activate IPSec in Windows 2000 through IPSec policies.You are able to make your own policies, suiting your particular needs. Here we will only look at the predefined ones:

■ Client (Respond Only) Mostly used on Windows 2000 Professional clients that will only activate IPSec if requested by a server.

■ Server (Request Security) Used on the server if it is not necessary to use IPSec. The server will request the client to use IPSec. If the client denies, then insecure IP is used.

■ Secure Server (Require Security) A connection is only established if the client has at least a "Respond Only" IPSec policy activated. If the client is not able to set up an IPSec connection, the server will refuse the connection.

There are a number of ways to set up and manage IPSec policies for users, computers, and servers. The best way is to centralize the management of IPSec policies using the MMC with the IP Security Policies snap-in.You will do this on the local or domain level (Figure 8.5). Assuming you have an Active Directory domain in place, doing it on domain level makes the policies available for all computers (and users) in the domain.You can assign the policies from within every group policy. It is beyond the scope of this chapter to explain the way group policies contribute to the security of your domain. However, keep the following points in mind:

■ A group policy defines settings for computers and users.

■ Every time a computer boots Windows and contacts the domain controller, the settings are transferred to the computer.

■ Every time users log on to Windows, the settings are downloaded from the domain controller.

■ Group policies can be defined on different levels within the domain and are applied in the order of: local, site, domain, and organizational units.

■ By default, group policy settings are inherited from earlier applied group policies, and can subsequently be overwritten by the group policies that are applied later.

■ IPSec policies need to be explicitly assigned to users or computers from within a group policy.

Figure 8.5 Using the Microsoft Management Console IP Security Policies Snap-In

I'm fflwfc ¡hi1 ccnA n ri '■'.ur-^l'-FL^;!?*- ■ T.'£ - i-.'-n


Do not change the IPSec policies from within a group policy! Since IPSec policies are global to the domain, these changes will take affect throughout the domain. In case you need a slightly different IPSec policy, create a new one, and assign it to the group policy.

For Windows 2000 servers that are not part of a domain, you can also set an IPSec policy directly on an interface.To do so:

1. Select My Network Places on the desktop, and open the Properties window.

2. Select the Local Network Connection that represents the proper NIC, and open the Properties window.

3. Open the Properties dialog of Internet Protocol (TCP/IP) and press Advanced____

4. Selective the Options tab, and now you are able the set the IP Security Properties.

To give you more understanding about how to activate IPSec between your servers in the BizTalk environment, we are going to look at a quick exercise.Your BizTalk environment is comprised of three servers: BizTalk-1,Tracking-1, and Database-l.They are all part of the same domain and need the same IP Security characteristics. For the sake of the exercise, let us assume all three servers reside in the same subnet and have direct communication with each other. Group the three servers in the default site and create an IPSec policy for the three servers.

To activate the IP Security policy in the group policy of the site:

1. Open the Microsoft Management Console and be sure that at least the following snap-ins are added to the list: Active Directory Sites and Services, and IP Security Policies on Active Directory.

2. Open Active Directory Sites and Services, and open the Sites folder.You will at least see one site in the list that is created as a default site in the domain.

3. Open this Sites folder, and then open the Servers folder.The domain controller is already in there. Now add the other three servers by right-clicking the Servers folder, and selecting New | Server.

4. Now, click on IP Security Policies on Active Directory.The right part of the dialog shows the available IPSec policies (Figure 8.5).

5. Right-click the IP Security Policies on Active Directory, and select All Tasks | Create IP Security Policy. This will start the IP Security Policy Wizard.

6. The first step in the wizard is giving the policy a name and description. In the example, the name "IPSec BizTalk" is used.

7. Next, you are asked if the policy should Activate the default response rule. Keep it checked. It will work as a safety net; in case other rules in the policy do not apply, the server will at least positively respond to a request using IPSec.

8. After clicking Next, you must decide what authentication is used by the default response rule.You are presented with three options:

■ Windows 2000 default (Kerberos V5 protocol) This option only works if both client and server are members of a trusted domain. The Kerberos server needs to validate the authenticity of the client, and server for that matter.The use of Kerberos might be regarded as the most solid solution with a Windows 2000 environment. Remember, not every environment supports Kerberos V5. (More information on Kerberos V5 can be found in RFC 1510. Since the first release of Windows 2000, there is discussion regarding if Microsoft made some modifications to their Kerberos implementation that are not described in any RFC.)

■ Use a certificate from this certificate authority (CA) This option should be used if Kerberos is not available as an authentication method. After selecting this option, you can browse through your shared key store on the server. If this is not available, you can select a predefined certificate, which is less secure.

■ Use the string to protect the key exchange (preshared key)

It is advised not to use this method since is far from secure. Both parties wanting to set up an IPSec connection must enter the exact same preshared key. Additionally, this key is stored in readable— hence, nonencrypted—format.

9. Since all the servers are in the same domain, select Windows 2000 default.

10. After clicking Next, you can finish the wizard. If you want to make changes to the policy properties, keep Edit Properties checked. Then, click Finish.

11. Now you enter the IPSec Properties dialog (Figure 8.6), with two tab pages: Rules and General. In the IP Security Rules list you see one rule, the one you created with the wizard.

Figure 8.6 Use the Properties Page to Maintain the IP Security Policy

Figure 8.6 Use the Properties Page to Maintain the IP Security Policy

12. You see in the bottom-right corner the option Use Add Wizard. If you uncheck this and subsequently click Add...,you have to manually configure a new rule. Keeping it checked will activate the Security Rule Wizard. Without the wizard, you can configure rules in more detail, but you must have a more in-depth knowledge of how rules work.

13. To see what is behind the rule in the list, select the rule line and press

Edit____You will see the Edit Rule Properties dialog with three tab pages.The Security Methods tab is shown in Figure 8.7. As mentioned earlier during the initial phase of setting up an IPSec connection, there is a negotiation. When this rule executes, the Security Method preference order gives the sequence in which the security settings are negotiated; in our case, by the BizTalk Servers.

Figure 8.7 Editing a Rule of an IP Security Policy

Figure 8.7 Editing a Rule of an IP Security Policy

14. Now, select the first line in the Security Method list, press Edit..., and you will get into the Modify Security Method tab. Since Custom (for expert users) is selected, you will now press Settings____

15. The Session Key Settings box in the dialog (Figure 8.8) allows you to Generate a new key every so many kilobytes or seconds.You can check the seconds option and leave the value at 3600.This means that every hour, the servers involved in this IPSec connection will exchange new session keys. By doing this, you make it more difficult for crypto-analysts to break your key. Figure 8.8 shows that the Security Method is set to ESP and it makes use of key hashing algorithm SHA1 and the encryption algorithm 3DES. By using these, you have enabled the most secure communication available within Windows 2000.

16. Press OK to leave this option, and close the IPSec Properties window.

17. Go back to the Site object where earlier you added the servers. Right-click the site and select Properties.You enter the Properties dialog and then select the Group Policy tab. A list of group policies is shown. In our case, this will likely be empty, so you have the choice of the available buttons:

■ New With this button, you create a new group policy.

■ Add With this button, you can select a group policy that is already in use with the Active Directory tree.

Figure 8.8 Modifying the Session Key Settings

Figure 8.8 Modifying the Session Key Settings

18. Select New, give the policy the name BizTalk Group Policy, and press Enter. Next, press Edit and a Group Policy dialog will open. It shows two configuration trees: Computer and User.You will use Computer.

19. Within the Computer Configuration, open Windows Settings | Security Settings.Then, select IP Security Policies on Active Directory.You see in the right pane of the window all the available IP security policies, including the "IPSec BizTalk" you just created. In this part, the column "Policy Assigned" will probable all state "No."

20. To activate your IPSec BizTalk policy, right-click this policy and select Assign.The No will turn into Yes. Close the window.

21. The next time the servers synchronize their settings, which you can enforce by rebooting the server right away, this security policy is activated.

We will get back to security in the section Certificates and CryptoAPI. In case you want to learn more about the use of Active Directory, you can read Syngress Publishing's Active Directory for Windows 2000 Server (ISBN 1-928994-60-1).

Was this article helpful?

0 0

Post a comment