Windows 2000 Security Basics
Windows 2000 introduced many new security features. Many of these are merely enhancements to existing infrastructure. Some of the more recent developments in application use are Internet related. Considering that most companies, including Microsoft, didn't know that the Internet existed prior to NT Service Pack 3, Microsoft has done a lot of work to close the gaps in OS security while maintaining a user-friendly means by which to implement these features.
Some of the newer features include
Encrypting File System
SmartCard Authentication
Active Directory Services
Kerberos and Fortezza support
Public Key Infrastructure (PKI)
BizTalk Server 2002's security is truly dependent on the Windows 2000 infrastructure. Understanding Windows 2000 security is key to protecting your information. What follows is a best practices guide, more than a how-to guide, to help make your servers as secure as possible using features available in Windows 2000.
Perhaps the most recommended task is setting up services such as BizTalk Server 2002 to run under a separate local system account. This is demonstrated in the section “Setting Up BizTalk Security” later in the chapter. This provides protection in two ways. First, because it is a machine account, it is doubtful that anyone really needs to distribute the password or log in with that account from across the network. The second is that if you set up services to run under a user account, if that user logs out, the services stop running. After you have created this account, it is important to give it the correct privileges to allow it to act as a service account.
Creating a Service Account on Windows 2000
To create a service account on Windows 2000, perform the following steps:
1. |
Log on as Administrator, or a member of the Administrators group. |
2. |
Right-click My Computer and select Manage. This opens the Computer Management Console. |
3. |
If it is not already expanded, click the (+) to expand System Tools and click Local Users and Groups. Note that this cannot be done on a machine designated as a domain controller that is using Active Directory Services. If you are using Active Directory, you must create the user first in the Active Directory Users and Computers management console and then proceed with step 8. |
4. |
Select Users; a list of all the local users currently on the system appears. Right-click anywhere on the details side of the console and select New User. |
5. |
Enter a username for the account as well as the password. The password must be entered twice to confirm, hence the Confirm Password text box requires you to enter the password again. |
6. |
Be sure to clear the User Must Change Password at Next Login check box. Then click Create and click Close. |
7. |
Close the Computer Management Console. |
8. |
From the Start menu, select Administrative Tools and then Local Security Policy. |
9. |
In the Local Security Policy Console, click the (+) to expand Local Policies and click User Rights Assignment. |
10. |
From the details pane, right-click Act as Part of the Operating System and select Security. Click Add to add the account you created in steps 1–6; then click OK twice. |
11. |
Repeat steps 9 and 10 using the Log On as a Service policy. |
Reassigning BizTalk Context Account
If you have already installed BizTalk and did not have this account created prior to installation or have not yet assigned BizTalk to run under a service account, the following steps guide you through reassigning the context under which BizTalk runs:
1. |
From the Start menu, select Administrative Tools and then Services. |
2. |
From the detail pane, right-click BizTalk Messaging Service and select Properties. |
3. |
Click the Logon tab; then from that tab, click the This Account radio button. |
4. |
Click the Browse button. This opens an Accounts dialog box for you to select which account to use. |
5. |
In the Password box, type the same password you used when creating the account—yes, twice to confirm—and then click OK. |
6. |
A message box appears indicating success; click OK. |
7. |
Restart the computer to ensure the new context. Just restarting the service may not flush out any instances of the service that are currently in memory. |
Caution
It is essential that a service account be used when using certificates with BizTalk Server 2002 and that BizTalk runs under that account.
Keep in mind that if you use, or you intend to use, the new Encrypting File System the data is not encrypted during any transfer. To protect your data, you must use SSL, IPSec (Internet Protocol Security), or some other means of security. However, by setting BizTalk to the service account, that account can be used to encrypt/decrypt files on a machine. The only issue that may arise is if an account other than BizTalk needs to access a file.
The new SmartCard authentication that Windows 2000 uses is really an extension of the Public Key Infrastructure (PKI). This is an exchange of certificate information for purposes of validating identity prior to release of information. With the new Active Directory Services, Windows 2000 provides a means by which to monitor security on an object level. This means that you can actually assign rights to parts of an object on the system—for example, you could assign rights to one group that can only see usernames on the network, whereas another group can see all the information related to users in the Active Directory database.