Checklist: Planning for Operations in a Secure Environment
Running BizTalk Server in a secure environment requires additional steps for deployment and configuration. While default operating system installations need not take these into account, but scenarios where restrictive security policies have been applied, you should take into account information in this section. The level of restriction applied onto servers may vary but information below should cover most cases and would be a good starting point.
Security Considerations for Computers Running BizTalk Server
The following information suggests the security-related settings on computers running BizTalk Server.
User Rights Assignment
To start the User Rights Assignment MMC Snap-in, click Start, click Administrative Tools, and then click Local Security Policy. In the Local Security Policy MMC snap-in, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
| Policy setting | Values | Reference and details |
|---|---|---|
| Log on as a service | BizTalk Application Users | Required to run BizTalk Host Instances. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server. |
| Log on as a service | RuleEngine Update Service Account | Required to run RuleEngine Update Service. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server. |
| Log on as a service | SSO Service Account | Required to run Enterprise Single Sign-On Service. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server. |
System Services
To start the Services MMC Snap-in, click Start, click Run, and in the Run dialog box, type services.msc and press ENTER.
COM+ System Application:
- Startup type 1: Automatic
- Details: Required by BizTalk to run properly
- User 2: (default)
DHCP Client:
- Startup type 1: Automatic
- Details: Required even if IP addresses are static
- User 2: (default)
Distributed Transaction Coordinator:
- Startup type 1: Automatic
- Details: Required by BizTalk to run properly
The following user accounts need permissions to this service:
| User 2 | Permissions | Details |
|---|---|---|
| SSO Service Account | Full Control | Required to start SSO service |
| BizTalk Hosts Service Account | Full Control | Required to start BizTalk Hosts |
| Network Service | Full Control | Required by IIS |
HTTP SSL 3:
- Startup type 1: Automatic
- Details: Required by IIS
- User 2: (default)
IPSEC Services 3:
- Startup type 1: Automatic
- Details: IPSEC increases network security if used
- User 2: (default)
Netlogon:
- Startup type 1: (default)
- User 2: Local Service
- Permissions: Full Control
NT LM Security Support Provider 3:
- Startup type 1: Automatic
- Details: Required for Kerberos Authentication for BizTalk Server in SQL
- User 2: (default)
Remote Access Connection Manager:
- Startup type 1: (default)
The following user accounts need permissions to this service:
| User 2 | Permissions | Details |
|---|---|---|
| SSO Service Account | Full Control | Required to start SSO service |
| BizTalk Hosts Service Account | Full Control | Required to start BizTalk Hosts |
| Network Service | Full Control | Required by IIS |
Remote Procedure Call (RPC) Locator:
- Startup type 1: Automatic
- Details: Required by BizTalk
- User 2: (default)
WinHTTP Web Proxy Auto-Discovery Service:
- Startup type 1: (default)
The following user accounts need permissions to this service:
| User 2 | Permissions | Details |
|---|---|---|
| SSO Service Account | Full Control | Required to start SSO service |
| BizTalk Hosts Service Account | Full Control | Required to start BizTalk Hosts |
1 A value of (default) means that the default settings applied by the security policy are not changed
2 A value of (default) means that the default user permissions for the service have not been changed
Registry Settings
To start the Registry Editor, click Start, click Run, and in the Run dialog box, type regedit and press ENTER.
HKLM\SYSTEM\CurrentControlSet\Services\DHCP- User: Network Service
- Permissions: Full Control
- Details: Required by DHCP Client Service
HKLM\SYSTEM\CurrentControlSet\Services\TCPIP- User: Network Service
- Permissions: Full Control
- Details: Required by DHCP Client Service
Security Considerations for Computers Running SQL Server
The following information suggests the security-related settings on computers running SQL Server.
User Rights Assignment
To start the User Rights Assignment MMC Snap-in, click Start, click Administrative Tools, and then click Local Security Policy. In the Local Security Policy MMC snap-in, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
| Policy setting | Values | Reference and details |
|---|---|---|
| Act as part of the operating system | SQL Server Agent Service Account, SQL Server Service Account | Required to run SQL Server. For more information see Setting Up Windows Service Accounts. |
| Adjust memory quotas for a process | SQL Server Agent Service Account,SQL Server Service Account | Required to run SQL Server. For more information see Setting Up Windows Service Accounts. |
| Bypass traverse checking | SQL Server Agent Service Account,SQL Server Service Account | Required to run SQL Server. For more information see Setting Up Windows Service Accounts. |
| Create global objects | SQL Server Service Account | Required by SSIS service. For more information see Setting Up Windows Service Accounts. |
| Enable computer and user accounts to be trusted for delegation | SQL Server Service Account, SQL Server Servers, BizTalk Server Servers, SQL Server Cluster Name | Required by BizTalk Server. Server name is in the form <servername>$. For more information, see How to: Enable Kerberos Authentication on a SQL Server Failover Cluster. |
| Log on as a service | SQL Server Agent Service Account,SQL Server Service Account | Required to run SQL Server. For more information see Setting Up Windows Service Accounts. |
| Log on as a service | SSO Service Account | Required to run Enterprise Single Sign-On Service. For more information about different user accounts, see Windows Groups and User Accounts in BizTalk Server. |
| Log on as batch job | SQL Server Agent Service Account,SQL Server Service Account | Required to run SQL Server. For more information see Setting Up Windows Service Accounts. |
| Replace a process level token | SQL Server Agent Service Account,SQL Server Service Account | Required to run SQL Server. For more information see Setting Up Windows Service Accounts. |
System Services
To start the Services MMC Snap-in, click Start, click Run, and in the Run dialog box, type services.msc and press ENTER.
DHCP Client:
- Startup type 1: Automatic
- Details: Required even if IP addresses are static
- User 2: (default)
Distributed Transaction Coordinator:
- Startup type 1: Manual
- Details: Service startup managed by Cluster Service
The following user accounts need permissions to this service:
| User 2 | Permissions | Details |
|---|---|---|
| SSO Service Account | Full Control | Required to start SSO service |
| Network Service | Full Control | Required by IIS |
HTTP SSL 3:
- Startup type 1: Automatic
- Details: Required by IIS
- User 2: (default)
IPSEC Services 3:
- Startup type 1: Automatic
- Details: IPSEC increases network security if used
- User 2: (default)
Netlogon:
- Startup type 1: (default)
- User 2: Local Service
- Permissions: Full Control
NT LM Security Support Provider 3:
- Startup type 1: Automatic
- Details: Required for Kerberos Authentication for BizTalk Server in SQL
- User 2: (default)
Remote Access Connection Manager:
- Startup type 1: (default)
The following user accounts need permissions to this service:
| User 2 | Permissions | Details |
|---|---|---|
| SSO Service Account | Full Control | Required to start SSO service |
| Network Service | Full Control | Required by IIS |
Server:
- Startup type 1: Automatic
- Details: Used for Clustered File Share resources
- User 2: Network Service
- Permissions: Full Control
WinHTTP Web Proxy Auto-Discovery Service:
- Startup type 1: (default)
- User 2: SSO Service Account
- Permissions: Full Control
- Details: Required to start SSO service
World Wide Web Publishing Service:
- Startup type 1: Automatic
- Details: Required by SQL Server Reporting Services
- User 2: (default)
1 A value of (default) means that the default settings applied by the security policy are not changed
2 A value of (default) means that the default user permissions for the service have not been changed
Registry Settings
To start the Registry Editor, click Start, click Run, and in the Run dialog box, type regedit and press ENTER.
HKLM\SYSTEM\CurrentControlSet\Services\DHCP- User: Network Service
- Permissions: Full Control
- Details: Required by DHCP Client Service
HKLM\SYSTEM\CurrentControlSet\Services\TCPIP- User: Network Service
- Permissions: Full Control
- Details: Required by DHCP Client Service
Additional Security Considerations
The following table suggests the other important security-related settings for your BizTalk Server environment.
| Affected artifact | Change | Reference and details |
|---|---|---|
| SSO Service Account | Grant Full Control Permission on Cluster in Cluster Manager | This change is required for SSO to work properly |
| SQL Server Service Account, SQL Server Servers, BizTalk Server Servers, SQL Server Cluster Name | Trust for Delegation in Active Directory | Required for proper Kerberos authentication. For more information, see How to: Enable Kerberos Authentication on a SQL Server Failover Cluster. |
| SQL Server Service Account | Grant permission to create SPN Entries | Required for proper Kerberos authentication. For more information, see How to use Kerberos authentication in SQL Server. |
| SQL Server nodes, SQL cluster name | Create SPN entries for user SQL Server Service Account | Required for proper Kerberos authentication. For more information, see How to use Kerberos authentication in SQL Server. |
| SQL Network Name cluster resource | DNS Registration must succeed, Enable Kerberos Authentication | Required for proper Kerberos authentication |
| SQL Server Surface configuration | Enable Remote Direct Administrator Connection | Required by SQL Browser Service to function properly which is required by SQL Clients (BizTalk/ASP.NET) to correctly locate SQL Server named instance. |
| BizTalk Application Users Group | Grant Execute permission on sp_help_jobhistory in msdb database | Required by BizTalk Server |
See Also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for