Security Checklist

Commerce Server 2002

The following are recommended steps you should take to secure your Commerce Server installation.

  • Deploy a secure infrastructure.
    • Use firewalls.
    • Run SQL and Windows services, including the Commerce Server services – Predictor, List Manager, and Direct Mailer – using least privilege accounts. The Event Logging user account must be a local administrator.
    • Throttle requests, for example, for baskets and checkouts.
    • Configure Internet Information Services (IIS) applications used by Commerce Server to run in Medium (Pooled) mode. If you have a multi-site configuration, IIS applications used by Commerce Server must run in High (Isolated) mode.
  • Deploy Commerce Server using Windows Authentication.
    • Create domain accounts for Commerce Server services and users.
    • Install Commerce Server using Windows Integrated Security.
    • Configure the anonymous account to map to a domain account.
    • Set up a trusted connection for the Business Desk Web server.
  • Secure the Business Desk application and user interface.
  • Secure the Administration database, which contains configuration information for your site.
    • Use Windows Authentication for the connection to the Administration database.
    • Secure the SiteConfigReadOnly, SiteConfig, and GlobalConfig objects.
    • Restrict executable scripts so that attackers cannot access these configuration objects.
    • Restrict usage of the SiteConfig and GlobalConfig objects by modifying the access control lists (ACLs) on the registry keys for these object classes.
  • Secure the Commerce Server run-time databases.
    • Use Windows Authentication for the connection to the databases.
    • Run the Commerce Server security scripts to create the appropriate roles on each database, and then assign Business Desk users and the run-time user account to the appropriate roles.
    • Use an encrypted network connection by deploying encryption on the named pipes: use IPSec authentication, enable Secure Sockets Layer (SSL) encryption, and enable multiprotocol client encryption.
    • Use the Commerce Server encryption features (such as one-way hashing and asymmetric encryption) to encrypt user passwords, that is, data that does not need to be decrypted. Use asymmetric encryption to encrypt credit card numbers and expiration dates.
    • Set permissions for run-time users (users visiting your Web site) and design-time users (users updating your site using Business Desk) on the Commerce Server databases, tables, and stored procedures.
  • Secure the Data Warehouse.
    • Run the DTS task security scripts against each Commerce Server database that the DTS tasks must access. These scripts create the DTS_ImportRole on each database, and grant the role appropriate database permissions. You assign to the DTS_ImportRole the login account of users authorized to run the DTS tasks.
    • Run the report security scripts against the Data Warehouse database. These scripts create two roles on the Data Warehouse database: one for users who run and view reports, and another for users who create, delete, and modify reports. The roles are granted the role appropriate database permissions. Assign Business Desk users to the appropriate roles, depending on their job requirements.
    • Run the SegmentViewer Script to Secure Prediction Tables. This script creates the SegmentViewer role on the Data Warehouse database, and grants the role appropriate database permissions. Assign Business Desk users to this role if they are going to work with the Segment Viewer module in Business Desk.
    • Set up access to the Analysis Server over HTTPS. This enables Business Desk users to run reports over the Internet.
  • Secure the Direct Mailer Database.
  • Secure the Web log files, which are imported into the Data Warehouse.
    • Set access control lists (ACLs) on the directory for the log files.
    • Use an encrypted network connection (apply SSL and IPSec).
  • Secure the Web server, application, and specific files installed on the Web server.
    • Remove FTP Server, SMTP Server, Indexing Service, Microsoft FrontPage extensions, script debugger, Internet and the Services Manager (HTML) if they are not used by any other application on the server.
    • Secure the pipelines directory with ACLs to prevent downloads of .PCF and .PIPELOG files.
    • Secure the Csapp.ini file by turning off both read and anonymous access to it in IIS. Do not use the NTFS file system (NTFS) permissions to secure this file because the file must be readable under user credentials such as the IUSR account.
    • Create scripts to secure the files and folders that contain your site after you unpack it. Commerce Server Site Packager does not package or unpack any NTFS folder or file permissions (access control lists).
    • Use caution when configuring the accounts that can log on interactively to a Web server: ensure that the Guest account is disabled and that only accounts requiring access to the Web server are given access.
    • Turn off Write permissions on Internet Information Services (IIS) applications and folders (on the Home Directory tab).
  • Install the tools from the Microsoft Strategic Technology Protection Program, available from
    • Use the Internet Information Services (IIS) Lockdown tool to remove all unneeded links from Internet Services Manager (for example, scripts, images, iishelp, iisadmin, and msadc). To download the IIS Lockdown tool, see
    • Use the URLScan tool to ensure your Web servers only respond to legitimate requests.
    • Use the HFNetCheck tool to scan your local and remote servers to ensure that that they are up to date on all security patches available for Windows 2000, IIS 5.0, Internet Explorer, and SQL Server. To download the HFCheck tool, see
    • Use the QChain.exe tool to install multiple hotfixes with only one restart. To download the QChain.exe tool, see Microsoft Knowledge Base article Q296861: "Use QChain.exe to Install Multiple Hotfixes with Only One Reboot," located at
  • Use the Windows 2000 Server Baseline Security Checklist, available from, to secure all Windows 2000 servers in your site.

Copyright © 2005 Microsoft Corporation.
All rights reserved.