What Are the Secure Deployment Requirements?
Commerce Server 2009 uses many tools, such as Windows Integrated Security, Microsoft Internet Information Services (IIS), Windows Authorization Manager, SQL Server database role assignments, and Windows Component Services, to create and maintain a secure deployment. This topic provides an overview of the security elements that you create and associate within a Commerce Server 2009 deployment environment. Information is grouped as follows:
Authentication and Secure Access Requirements
Data Encryption
Optional Secure Deployment Tools and Tasks
ASP.NET Security
Authentication and Secure Access Requirements
Authentication in Commerce Server 2009 involves validating user credentials for external site visitors, internal business users, and internal service accounts. Commerce Server 2009 uses a different authentication approach for each of these user segments. In all scenarios, users and services need access to the following types of site assets in the Web site application:
Web server resources such as pages, images, and other static files.
Database resources such as per-user, application-wide, or other forms of dynamic data.
Network resources such as remote file system resources and directory stores such as Active Directory.
In turn, the Web site application needs access to system resources such as the registry, event logs, and configuration files.
Review the following sections for a summary of the secure deployment methods that are used to support access by the different user segments:
External Access by Site Users
Internal Access by Business Users and Commerce Server Services
Authorization Role-Based Access
Database Role Mapping and the Trusted System Model
Windows Authentication and Windows Integrated Security
External Access by Site Users
First time visitors to the Web site, or non-registered users, can access the Web site through ASP.NET and the RunTimeUser account that you create.
The secure deployment requirements used to support anonymous user access to the Web site are as follows:
Two anonymous user identity accounts, both a data domain and a Web domain account, are defined in a production environment. The RunTimeUser account is an IIS account that Commerce Server 2009 uses to give anonymous users access to the Web site.
Controlled access to specific databases and the ability to read or write to the databases is controlled through SQL Server database login accounts and database user role mappings. To review the predefined database role mapping requirements, see What Are the Required Database Accounts and Database Role Mappings?
IIS application pool and IIS Worker Process Group assignments are made. Create an IIS application pool for the Web site and assign the anonymous user identity to the application pool and the IIS worker process group.
The anonymous user identity must be granted write permissions to the temporary ASP.NET and Windows temporary folders.
Commerce Server 2009 uses one of three authentication methods to identify and track users who register with the site:
Commerce Server 2009 membership provider, which integrates Commerce Server 2009 profiles with ASP.NET logon and registration controls.
AuthManager, which uses the AuthManager object to identify users and gather information that you use for user authentication.
AuthFilter ISAPI filter, which alters the default behavior of IIS and affects the handling of HTTP requests and responses.
Commerce Server 2009 membership provider is the recommended method for supporting user authentication. Commerce Server 2009 supports AuthManager and AuthFilter methods, but are obsolete functions in Commerce Server 2009. For information about these methods, see Authentication Concepts and Tasks.
.gif "Important note") Important Note: |
|---|
If you are upgrading an existing Commerce Server site to use with Commerce Server 2009 and you want to continue to use either AuthManager or AuthFilter, review the information provided in How to Restore AuthFilter Functioning. |
Internal Access by Business Users and Commerce Server Services
Internal business users must have access to the Commerce Server 2009 Business Management applications. And, Commerce Server 2009 services must have access to various Commerce Server 2009 resources. Commerce Server 2009 implements two levels of granular security that address these areas.
The first level of security is implemented by using Windows Authorization Manager to define scopes, roles, tasks, and operations to manage access to the Catalog, Inventory, Marketing, Profiles, and Orders systems. Between four and ten security roles are defined per system.
The second level of security is implemented by mapping users to predefined database roles. This grants access to operations, not to resources, for the service identities. The back-end resource managers, such as databases, trust the application to authenticate users and grant access to the trusted service identity. For example, a database administrator might grant access exclusively to a specific human resource application, but not to individual users.
Business User Access to the Business Management Applications
The following list summarizes the secure deployment requirements used to support business users access to the Business Management applications, and these applications access to Web services. These deployment tasks are performed on the production server where the Commerce Server 2009 Web services are run. In an Enterprise deployment, this is the business management server.
Each business user is assigned a domain account.
Business management Windows or Active Directory groups are created according to your business needs. To review the set of predefined security roles, see What Are the Accounts and Groups to Create?
Each business user domain account is added to one or more business management group accounts.
You assign business management groups to one or more predefined authorization roles. For more information, see What Are the Minimum Authorization Roles to Assign?
Controlled access to specific databases and the ability to read or write to the databases is controlled through SQL Server database login accounts and database user role mappings. To review the predefined database role mapping requirements, see What Are the Required Database Accounts and Database Role Mappings?
IIS application pool and IIS worker process group assignments are made. You create an IIS application pool for each Web service and you assign the Web service account to its application pool and the IIS worker process group.
You must grant Web application service identities write permissions to the temporary ASP.NET and Windows temporary folders. To enable user access to the Catalog Web service, you must assign the Catalog Web service identity write permissions to the Catalog authorization role.
Commerce Server Services Access to Commerce Server Resources
In addition to Commerce Server 2009 Web services, you can run many additional services, such as the Direct Mailer, Staging, and Commerce Server adapters. The following summarizes the secure deployment requirements used to support these services access to Commerce Server 2009 resources:
You assign each service a service identity. To review the service accounts that you need to create, see What Are the Accounts and Groups to Create?
Controlled access to specific databases and the ability to read or write to the databases is controlled through SQL Server database login accounts and database user role mappings. To review the predefined database role mapping requirements, see What Are the Required Database Accounts and Database Role Mappings?
In addition, several additional deployment tasks are required to enable specific services to access specific resources. The following table summarizes these tasks.
Commerce Server service |
Secure deployment requirements |
|---|---|
Marketing Web service and Direct Mailer service |
Grant the Marketing Web Service identity, MarketingWebSvc, access to the Direct Mailer service. For more information, see How to Grant the Marketing Web Service Access to the Direct Mailer Service. Grant the Marketing Web Service identity access to the task scheduler. For more information, see How to Grant the Marketing Web Service Access to Schedule Tasks. |
Commerce Server Staging |
Grant the service group, CSS_SG, permission to replicate the Internet Information Services (IIS) metabase. For more information, see How to Configure Access to the IIS Metabase. |
Commerce Server Adapters |
Provide the service identity, CSLOB, access to Web services by assigning them to predefined authorization roles. For more information, see How to Set Authorization Roles for the BizTalk Adapters. |
Health Monitoring Service |
Provide the service identity, CSHealthMonitorSvc, access to Web services. For more information, see How to Set Authorization Roles for the Commerce Server Health Monitoring Service. |
Data Warehouse |
Provide the service identity, DTSImport, administrator rights on the Data Warehouse database server and ready permissions on the production site databases. For more information, see the following topics: Grant read and write permissions to the DWRole you create on the Data Warehouse and Analytics server. For more information, see How to Grant Permissions on the Data Warehouse Server. |
Authorization Role-Based Access
Commerce Server 2009 provides several predefined roles to which you assign business users so that they can perform specific tasks such as editing a catalog, creating a discount, and deleting an order. To restrict business users from performing all tasks, you assign them to specific roles such as the CatalogPropertyEditor role, where users can only manage individual catalog properties. By assigning user accounts or Windows groups to the administrator roles, such as MarketingAdministrator or OrdersAdministrator, these users can perform any operation associated with the corresponding Commerce Server 2009 system. For example, the MarketingAdministrator role lets users perform any operation in the Marketing System.
With role-based access control, you specify access control relative to the organizational structure of your company. You use Windows Authorization Manager to add individual users or user groups to a role. Before you assign business user access to the Authorization Manager roles, we recommend that you assign the business user to a Windows group, and then give the Windows group Authorization Manager permissions on the Web services.
Database Role Mapping and the Trusted System Model
To simplify authentication and eliminate the requirement of configuring database roles and permissions for each business user, Commerce Server 2009 uses the trusted system model. In this model, you configure database roles and permissions for groups of users according to user role, such as Catalog Editor or Marketing Manager, and then associate the individual business users with these user roles.
With this model, the Business Management server uses fixed identities to access the resources on the database server. The security context of the originating business user does not pass through the service at the operating-system level. The database trusts the Web server to authenticate users and to let only authenticated users access the database using the trusted identity.
The advantage of using the trusted system model is that users cannot access back-end data directly without using the application and being subjected to application authorization. Only the Web tier service account has access to the back-end resources. Additionally, you only have to configure access control lists (ACL) for the Web tier service account instead of for every individual user identity. The trusted system model also supports connection pooling. This enables multiple clients to reuse available, pooled connections because all back-end resource authentication assumes the security context of the service account, regardless of user identity.
The disadvantage of using the trusted system model is that an attacker who manages to compromise the Web tier has broad access to back-end resources because the back-end resources rely completely on the Web tier to authenticate users. The trusted system model also makes auditing difficult because the Web tier service account masks the originating user identities.
Windows Authentication and Windows Integrated Security
Commerce Server 2009 supports Windows Authentication to SQL Server. This is also known as Windows Integrated Security. We recommend that you use Windows authentication for a Commerce Server 2009 installation. With Windows authentication, Windows Server uses Windows user accounts to authenticate to SQL Server. Commerce Server 2009 sets a tag in the connection string that tells the SQL Server to use Windows authentication when checking the security context of the user trying to access a given database.
When you use Windows Authentication, user names and passwords are not stored in the SQL Server connection string, and are not changed when the SQL Server password is reset.
Data Encryption
In an e-commerce site, you process sensitive information, such as customer credit card numbers and user profile information. Commerce Server 2009 uses these two methods to encrypt data to protect this information:
Use of Secure Sockets Layer (SSL) to encrypt non-profile data. SSL is a scheme for protocols such as HTTP and others to transmit data in a secure manner. For more information, see How to Enable SSL on the Web Servers.
Use of profile encryption keys to encrypt profile data. For more information, see How to Configure Encryption Keys for Profiles System Data.
ASP.NET Security
For information about helping to secure your ASP.NET-based sites, see https://go.microsoft.com/fwlink/?LinkId=139551.
You must help secure the channelconfiguration.config and metadatadefinitions.xml files in the same manner to that of Web.config file, as per the best practices document located at https://go.microsoft.com/fwlink/?LinkId=139666.
Optional Secure Deployment Tools and Tasks
The following secure deployment tools and tasks are optional:
Help secure the Web services cache files by creating a security group that you authorize to update the cache. For more information, see How to Authorize Members of a Security Group to Update the Cache.
Microsoft Windows Server Security Configuration Wizard (SCW). The SCW is an attack surface reduction tool that you use with the Commerce Server 2009 SCW template to provide additional security for your deployment. For more information, see How to Import the Commerce Server Template into the Security Configuration Wizard.
Helping to secure a network requires planning and attention to detail. No single feature or action will make a network secure. For more information about network security, see the "Threats and Countermeasures Guide" at https://go.microsoft.com/fwlink/?LinkId=69711.
See Also
Other Resources
Securing Your Network with Firewalls and Ports
Securing Your Network with an ISA Server
Configuring the Business Management Server