Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Considerations for improved security in Application Center 2000
Article ID: 328499 - View products that this article applies to.
This article was previously published under Q328499
This document recommends some best practices and guidelines for improved security for Microsoft Application Center 2000.
This article discusses the following topics:
Read your corporate security policyTo be responsive to security issues, make sure that you have answers to questions like the following:
Subscribe to the Microsoft Security Notification ServiceYou can stay current with Microsoft security issues and fixes by subscribing to the Microsoft Security Notification Service. To receive automatic notification about security-related issues by e-mail, visit the following TechNet Web site, and then click Register:
Scan your system for updatesThe Windows Update Web site can help you to detect the updates that are required on your system. To scan your system for updates, visit the Windows Update Web site, and then click Scan for updates:
The Hisecweb.inf security templateThis template has been designed to help you secure Microsoft Internet Information Services (IIS) at the operating system level. The template configures basic Windows 2000 system wide policy.
Text-based security templatesWindows 2000 includes text-based security template files that you can use to apply uniform security settings on computers in an enterprise.
Caution The current versions of the Hisecweb.inf template and the Basicsv.inf template may cause Application Center 2000 to stop responding. For additional information about text-based security templates, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/234926/ )Windows 2000 security templates are incremental
Configure an Internet Protocol security policyMicrosoft recommends that you consider setting an Internet Protocol security (IPSec) packet-filtering policy on every Web server. This policy can help provide an extra layer of security if your firewalls are breached. Multiple levels of security technology are typically considered to be a good practice.
Generally, the best practice is to block all TCP/IP protocols except the protocols that you explicitly want to support, and to block all the ports except the ones that you must have open. You can use the IPSec administration tool or the IPSecPol command line tool to deploy IPSec policy.
For additional information about IPSec, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/231585/ )Overview of secure IP communication with IPSec in Windows 2000
Important user accountsAfter you install IIS and Application Center, the following new local accounts are created on your server:
These accounts are described in more detail in the following points.
ACC_ComputerNameWhen computers are added to the cluster, a duplicate account is created on the newly added members. This user is a member of the ACA_ComputerName group. This account is used to manage cluster communication for authentication across members, to replicate content, and to administer cluster members.
Credentials that you must have to run Application CenterYou must have the following credentials to use Application Center 2000:
Synchronization across boundariesApplication Center tries to synchronize ACLs across boundaries between local servers, workgroups, domains, trees, and forests.
ACLs that are synchronized on servers that are in the same domain, in the same tree, or in the same forest work correctly after synchronization; their security identities (SIDs) are still relevant because they are still in the same forest. However, ACLs that are synchronized across forest boundaries do not work correctly.
SIDs are relevant only to the original, source forest. ACLs that are created on workgroup servers refer to the local servers and, except for well-known SIDs (for example, administrator), are not valid on any other server.
You must manually correct any ACLS that are not correct on the targets .
Alternatively, you can decide not to replicate ACLs. In this case, the ACLs are inherited from the directories that are on the target. Then you can set the ACLs with whatever local user accounts are valid at the directory level. When you do so, the files inherit ACLs from the parent directory.
ACL changes are not synchronizedIf you change the ACLs on a file, the changes are not automatically synchronized by Application Center unless the file has changed in some way (for example, the content of the file was altered or one of the file attributes has changed).
Windows 2000 user accounts are not synchronizedApplication Center does not synchronize or deploy Windows 2000 user accounts. To have these accounts replicated to your member servers, you must use another method. Microsoft recommends that you create a Windows 2000 domain to share and use Microsoft Windows NT accounts across multiple members.
Synchronizing to and from FAT and NTFS file systemsFAT file systems do not support ACLs. If you synchronize or deploy from a member that has a FAT file system to a server that has an NTFS file system, the files that are delivered to the NTFS file system inherit the ACLs from their new parent directories.
Transfer protocolsApplication Center synchronization occurs on the management-traffic adapter and uses three transfer protocols:
Additionally, you can use IPSec Policy to provide effective encryption of HTTP traffic.
Permissions and account considerations
DCOM permissions that you must have to run Application CenterBy starting the DCOM configuration tool (Dcomcnfg.exe) from a command prompt, you can check default security permissions.
Collapse this tableExpand this table
Local Security Settings for the IIS and Application Center Accounts
Collapse this tableExpand this table
Note When you set up the ACL_ComputerName account during the installation of Application Center 2000, you must select the Access this computer from network check box. For additional information about assigning user rights and credentials, click the following article number to view the article in the Microsoft Knowledge Base:
220019However, because the account is created during installation, you must grant the Access this computer from network option to a group that will contain newly created local accounts during Application Center 2000 installation. Granting this option to the Authorized Users group during Application Center 2000 installation is sufficient. You can remove this option from the group after Application Center 2000 is installed.
(http://support.microsoft.com/kb/220019/ )How to set user rights in Windows 2000
Windows Management Instrumentation (WMI) namespace permissionsThis section discusses Application Center, Windows Management Instrumentation (WMI), Microsoft Health Monitor 2.1, and security.
Any authenticated user can read the Application Center and the Health Monitor namespaces. However, only an administrator or the cluster user group account (identified by ACA_ComputerName) can write to the Application Center and the Health Monitor namespaces (that is, create an instance of existing classes or of new classes). Therefore, both the Administrator and the ACA_ComputerName group must have Full Control permissions on the following WMI namespaces:
Component Object Model (COM) components that are not requiredBecause some COM components are not required for most applications, Microsoft recommends that they be disabled if you know that no other programs require any of the COM components.
Important Some programs may require the component that you want to disable. Contact the vendor of any third-party applications to determine the requirements of a component before you disable the component.
For example, consider disabling the File System Object component. However, be aware that disabling the File System Object component also removes the Dictionary object, and Site Server 3.0 requires the File System Object.
If you want to disable the File System Object, run the following command at a command prompt:
regsvr32 scrrun.dll /u
Firewall considerationsThis section describes two architectural topologies for firewall usage in the Application Center cluster environment.
Scenario 1A staging server is separated from the production environment by means of a firewall.
For a graphical representation of this topology, see the Application Center 2000 Resource Kit at the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb734915.aspxFor deployment to succeed, the firewall must have the following two ports open:
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To change the ports that the Application Center 2000 Replication Service binds to, use Registry Editor to add the following registry keys:
When the registry key value is created, it uses the hexadecimal number system. Make sure that you change the number format to decimal format before you assign a port value; otherwise, you receive unexpected results.
Note Make sure that you assign a unique value to each of the two keys that corresponds to ports that are not used by another application.
Scenario 2The staging server and the production environment are separated from the Internet by means of a firewall.
To permit traffic through the firewall, you must open certain ports under the firewall configuration settings. The front-end firewall is the first point of protection for Internet sites. Therefore, the firewall should block all ports except Web port 80 and Secure Sockets Layer (SSL) port 443.
Network adapter cards and security considerationsCluster members can be configured with two network adapters:
Whenever Network Load Balancing is used, two network adapters are required. If the cluster does not use load balancing, only one network adapter is required. (However, a second network adapter will be used if it is available.)
Note Having a single network adapter introduces the risk of inappropriate data usage because all network traffic is routed through the same network adapter. This is especially significant if the cluster is serving content that is bound for the Internet. Consider this issue when you make decisions about cluster architecture.
Garfinkel, Simson. 2003. Practical Unix & Internet Security. O'Reilly & Associates. ISBN:0596003234.