Export (0) Print
Expand All

Checklist: Planning for Operations in a Secure Environment

Running BizTalk Server in a secure environment requires additional steps for deployment and configuration. While default operating system installations need not take these into account, but scenarios where restrictive security policies have been applied, you should take into account information in this section. The level of restriction applied onto servers may vary but information below should cover most cases and would be a a good starting point.

The following table suggests the security-related settings on computers running BizTalk Server.

User Rights Assignment

To start the User Rights Assignment MMC Snap-in, click Start, click Administrative Tools, and then click Local Security Policy. In the Local Security Policy MMC snap-in, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

Policy setting Values Reference and details

Log on as a service

BizTalk Application Users

Required to run BizTalk Host Instances. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server (http://go.microsoft.com/fwlink/?LinkID=155755).

Log on as a service

RuleEngine Update Service Account

Required to run RuleEngine Update Service. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server (http://go.microsoft.com/fwlink/?LinkID=155755).

Log on as a service

SSO Service Account

Required to run Enterprise Single Sign-On Service. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server (http://go.microsoft.com/fwlink/?LinkID=155755).

System Services

To start the Services MMC Snap-in, click Start, click Run, and in the Run dialog box, type services.msc and press ENTER.

Service name Startup type1 Details User2 Permissions Details

COM+ System Application

Automatic

Required by BizTalk to run properly

(default)

DHCP Client

Automatic

Required even if IP addresses are static

(default)

Distributed Transaction Coordinator

Automatic

Required by BizTalk to run properly

SSO Service Account

Full Control

Required to start SSO service

BizTalk Hosts Service Account

Full Control

Required to start BizTalk Hosts

Network Service

Full Control

Required by IIS

HTTP SSL3

Automatic

Required by IIS

(default)

IPSEC Services3

Automatic

IPSEC increases network security if used

(default)

Netlogon

(default)

Local Service

Full Control

NT LM Security Support Provider3

Automatic

Required for Kerberos Authentication for BizTalk Server in SQL

(default)

Remote Access Connection Manager

(default)

SSO Service Account

Full Control

Required to start SSO service

BizTalk Hosts Service Account

Full Control

Required to start BizTalk Hosts

Network Service

Full Control

Required by IIS

Remote Procedure Call (RPC) Locator

Automatic

Required by BizTalk

(default)

WinHTTP Web Proxy Auto-Discovery Service

(default)

SSO Service Account

Full Control

Required to start SSO service

BizTalk Hosts Service Account

Full Control

Required to start BizTalk Hosts

1 A value of (default) means that the default settings applied by the security policy are not changed

2 A value of (default) means that the default user permissions for the service have not been changed

Registry Settings

To start the Registry Editor, click Start, click Run, and in the Run dialog box, type regedit and press ENTER.

Key User Permissions Details

HKLM\ SYSTEM\CurrentControlSet\Services\DHCP

Network Service

Full Control

Required by DHCP Client Service

HKLM\ SYSTEM\CurrentControlSet\Services\TCPIP

Network Service

Full Control

Required by DHCP Client Service

The following table suggests the security-related settings on computers running SQL Server.

User Rights Assignment

To start the User Rights Assignment MMC Snap-in, click Start, click Administrative Tools, and then click Local Security Policy. In the Local Security Policy MMC snap-in, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

Policy setting Values Reference and details

Act as part of the operating system

SQL Server Agent Service Account, SQL Server Service Account

Required to run SQL Server. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

Adjust memory quotas for a process

SQL Server Agent Service Account,SQL Server Service Account

Required to run SQL Server. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

Bypass traverse checking

SQL Server Agent Service Account,SQL Server Service Account

Required to run SQL Server. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

Create global objects

SQL Server Service Account

Required by SSIS service. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

Enable computer and user accounts to be trusted for delegation

SQL Server Service Account, SQL Server Servers, BizTalk Server Servers, SQL Server Cluster Name

Required by BizTalk Server. Server name is in the form <servername>$. For more information, see How to: Enable Kerberos Authentication on a SQL Server Failover Cluster (http://go.microsoft.com/fwlink/?LinkId=157417).

Log on as a service

SQL Server Agent Service Account,SQL Server Service Account

Required to run SQL Server. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

Log on as a service

SSO Service Account

Required to run Enterprise Single Sign-On Service. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server (http://go.microsoft.com/fwlink/?LinkID=155755).

Log on as batch job

SQL Server Agent Service Account,SQL Server Service Account

Required to run SQL Server. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

Replace a process level token

SQL Server Agent Service Account,SQL Server Service Account

Required to run SQL Server. For more information see Setting Up Windows Service Accounts (http://go.microsoft.com/fwlink/?LinkId=157415).

System Services

To start the Services MMC Snap-in, click Start, click Run, and in the Run dialog box, type services.msc and press ENTER.

Service name Startup type1 Details User2 Permissions Details

DHCP Client

Automatic

Required even if IP addresses are static

(default)

Distributed Transaction Coordinator

Manual

Service startup managed by Cluster Service

SSO Service Account

Full Control

Required to start SSO service

Network Service

Full Control

Required by IIS

HTTP SSL3

Automatic

Required by IIS

(default)

IPSEC Services3

Automatic

IPSEC increases network security if used

(default)

Netlogon

(default)

Local Service

Full Control

NT LM Security Support Provider3

Automatic

Required for Kerberos Authentication for BizTalk Server in SQL

(default)

Remote Access Connection Manager

(default)

SSO Service Account

Full Control

Required to start SSO service

Network Service

Full Control

Required by IIS

Server

Automatic

Used for Clustered File Share resources

Network Service

Full Control

WinHTTP Web Proxy Auto-Discovery Service

(default)

SSO Service Account

Full Control

Required to start SSO service

World Wide Web Publishing Service

Automatic

Required by SQL Server Reporting Services

(default)

1 A value of (default) means that the default settings applied by the security policy are not changed

2 A value of (default) means that the default user permissions for the service have not been changed

Registry Settings

To start the Registry Editor, click Start, click Run, and in the Run dialog box, type regedit and press ENTER.

Key User Permissions Details

HKLM\ SYSTEM\CurrentControlSet\Services\DHCP

Network Service

Full Control

Required by DHCP Client Service

HKLM\ SYSTEM\CurrentControlSet\Services\TCPIP

Network Service

Full Control

Required by DHCP Client Service

The following table suggests the other important security-related settings for your BizTalk Server environment.

Affected artifact Change Reference and details

SSO Service Account

Grant Full Control Permission on Cluster in Cluster Manager

This change is required for SSO in order to work properly

SQL Server Service Account, SQL Server Servers, BizTalk Server Servers, SQL Server Cluster Name

Trust for Delegation in Active Directory

Required for proper Kerberos authentication. For more information, see How to: Enable Kerberos Authentication on a SQL Server Failover Cluster (http://go.microsoft.com/fwlink/?LinkId=157417).

SQL Server Service Account

Grant permission to create SPN Entries

Required for proper Kerberos authentication. For more information, see How to use Kerberos authentication in SQL Server (http://go.microsoft.com/fwlink/?LinkId=157420).

SQL Server nodes, SQL cluster name

Create SPN entries for user SQL Server Service Account

Required for proper Kerberos authentication. For more information, see How to use Kerberos authentication in SQL Server (http://go.microsoft.com/fwlink/?LinkId=157420).

SQL Network Name cluster resource

DNS Registration must succeed, Enable Kerberos Authentication

Required for proper Kerberos authentication

SQL Server Surface configuration

Enable Remote Direct Administrator Connection

Required by SQL Browser Service to function properly which is required by SQL Clients (BizTalk/ASP.NET) in order to correctly locate SQL Server named instance

BizTalk Application Users Group

Grant Execute permission on sp_help_jobhistory in msdb database

Required by BizTalk Server

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft