How To Secure the BizTalk Server Messaging Service (275849)


The information in this article applies to:

  • Microsoft BizTalk Server 2000
This article was previously published under Q275849

SUMMARY

You cannot secure a default installation of BizTalk Server because the BizTalk Server state engine does not validate its callers, and the BizTalk Server state engine default configuration must run under the context of an interactive user. This article describes how you can secure BizTalk Server and is divided into the following sections:

MORE INFORMATION

Specify Service Account Instead of Interactive User Identity

It is usually better to configure the BizTalk Messaging Service to run under the context of a particular user identity (such as a service account) rather than the interactive user identity because:
  • The server can run even when no one is logged on to the computer that the application is running on. If the identity is set to interactive user, the application only runs when a user is logged on.
  • A particular user identity is more secure because it can only be assigned to the application by someone who has the specific user's password. If the identity is set to interactive user, the application runs under the identity of the user who is logged on, without that user's knowledge or consent. For instance, if the application is running on a computer while an administrator is logged on, the application runs under the administrator's identity, which potentially makes calls on behalf of clients.
For more information about how to create a BizTalk Server service account, see the "Create a service account" topic in the BizTalk Server online help.

Modify the BizTalk Server Interchange Application COM+ Component to Control Who Submits Work Items

When you modify the BizTalk Server Interchange Application COM+ component, you can control which users are allowed to submit work items to BizTalk Server 2000. Because the BizTalk Server Interchange Application is a COM+ application, it uses the several security configuration properties, for example:
  • Authentication level
  • Impersonation level
  • Access permissions
  • Launch permissions
  • Configuration permissions
To control which users are allowed to submit work items, you must first add a new role to the BizTalk Server Interchange Application and then associate that role with the Submit and SubmitSync methods.

Add a New Role to the BizTalk Server Interchange Application

  1. On the Start menu, point to Programs, point to Administrative Tools, and then click Component Services.
  2. Click to expand the following nodes:
    • Component Services
    • My Computer
    • COM+ Applications

  3. Right-click BizTalk Server Interchange Application, and then click Properties.
  4. On the Advanced tab, in the Permissions text box, clear the Disable changes check box, and then click OK.
  5. Right-click BizTalk Server Interchange Application, and then click Properties again.
  6. On the Security tab, in the Authorization text box, select the Enforce access checks for this application check box.
  7. In the Security level text box, click Perform access checks at the process and component level. Security property will be included on the object context. The COM+ security call context is available, and then click OK.
  8. In the resultant dialog box, click Yes.
  9. Under BizTalk Server Interchange Application, right-click Roles, click New, and then click Role.
  10. In the Roles dialog box, type a name for the role (for example, Submit), and then click OK.
  11. In the resultant dialog box, click Yes.
  12. Click to expand the role that you created. Right-click Users, click New, and then click User.
  13. In the Select Users or Groups dialog box, type the name of the user(s) and/or groups that you want to add to this role, and then click OK.
NOTE: An icon appears in the Users folder for each user account or group that you assign to the role. The new role membership takes effect the next time that the application is started.

Associate the Submit and SubmitSync Methods with the New Role

NOTE: You must create a new role for the BizTalk Server Interchange Application before you can associate the Submit and SubmitSync methods with it.
  1. On the Start menu, point to Programs, point to Administrative Tools, and then click Component Services.
  2. Click to expand the following nodes:
    • Component Services
    • My Computer
    • COM+ Applications
    • BizTalk Server Interchange Application
    • Components
    • BizTalk.Interchange.1
    • Interfaces
    • IInterchange
    • Methods

  3. Right-click Submit, and then click Properties.
  4. On Security tab, in the Roles explicitly set for selected item(s) text box, select the check box for the new role that you created in the preceding steps.
  5. Right-click SubmitSync, and then click Properties.
  6. On the Security tab, in the Roles explicitly set for selected item(s) text box, select the check box for the new role that you created in the preceding steps.
Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbinfo kbpending KB275849
©2004 Microsoft Corporation. All rights reserved.