COM Internet services security: Dtcsetup

Proactive vs. reactive security

Proactive vs. reactive security

If your company is proactive with layered security, then security is an ongoing consideration in the design and planning phases of your network implementation and administration; your company has most likely:

  • Designed and implemented layered security in a timely manner
  • Adjusted and adapted to new technologies to address new attacks
  • Maintained, monitored, and managed security measures.

    If your company is reactive, security is an afterthought and a desperate measure to recover from an attack that can lead to unnecessary user and/or customer downtime, which can cost your company thousands or millions in damages - your company has most likely:

  • Underestimated the importance of layered security model approach
  • Neglected the need for new security technologies and proper measures
  • Overlooked ongoing security maintenance, monitoring, and management.

    COM Internet services security: Dtcsetup
    Did you know that if a hacker (or an administrator inadvertently) executes the "dtcsetup" stand-alone program located in the system32 folder on a critical production Windows 2000 server that it will stop your MS DTC service indefinitely and begin the process of re-copying MS DTC files? Consider moving setup and administrator-level programs off your servers.

    Packet security/reference tracking
    In COM Internet Services, go to the Default Properties tab and click on check box to run "on this computer." At a minimum, change the default Authentication Level to Packet Security and Impersonation Level to Impersonate. Enable "Provide additional security for reference tracking." In the MSDTC tab, change the location and file name of the log file DTCLog.

    Enter a TCP/IP port range for DCOM Intranet in the Default Protocols tab of My Computer in Component Services. Next, remove the other unused protocols. Then, go to Default Security tab, and edit "access permissions."

    You may want to add the administrators group and set type of access to "Deny DefaultAccessPermission," to prevent administrators from accessing your application. You can also use this permission in conjunction with "Allow DefaultAccessPermission" for other users. Consider removing Administrators from Default Launch Permissions also.

    Process tuning
    Set and test the following security changes for COM+ Applications. Make sure that you understand your application and external dependencies (to other applications) before making these modifications. You many need to tune the process settings (I.E., leave process running when idle or shut down the process) to find a secure and functional configuration that works in your environment. Included are some IIS components to assist you Web server application.

    Set COM+ QC DLQL to enforce access checks, to perform access checks at the process and component level, and to use packet for authentication level and impersonate for impersonation level. Specify a unique account and password in the Identity tab. Activate components in a dedicated server process. Set server process shutdown (in Advanced tab) when idle to one minute. Disable deletion and changes.

  • Set IIS In-Process Applications to enforce access checks to perform access checks at the process and component level, and enable authentication. Specify a unique account and password in the Identity tab. Activate components in a dedicated server process. Set server process shutdown when idle to one minute. Disable deletion and changes.

  • Set IIS Out-Of-Process Pooled Applications to enforce access checks, to perform access checks at the process and component level, and to use packet for authentication level and impersonate for impersonation level. Specify a unique account and password in the Identity tab. Activate components in a dedicated server process. Set server process shutdown when idle to one minute. Disable deletion and changes.

  • Set IIS Utilities to enforce access checks, to perform access checks at the process and component level, and to use packet for authentication level and impersonate for impersonation level. Activate components in a dedicated server process. Set server process shutdown when idle to one minute. Disable deletion and changes.

  • Set - {Default Web Site//Root} to enforce access checks, to perform access checks at the process and component level, and to use packet for authentication level and impersonate for impersonation level. Specify a unique account and password in the Identity tab. Activate components in a dedicated server process. Set server process shutdown when idle to one minute. Disable deletion and changes.

  • Set System Application to enforce access checks and use packet privacy for authentication level. Set server process shutdown when idle to one minute. Delete and customize the users assigned to roles.

  • Set Workflow Event Sink to enforce access checks, to perform access checks at the process and component level, and to use packet for authentication level and impersonate for impersonation level. Activate components in a dedicated server process. Set server process shutdown when idle to one minute. Disable deletion and changes. Delete and customize the users assigned to roles.

  • Track transaction statistics in Distributed Transaction Coordinator.

    Serious about security
    It's been my experience that IT professionals have often overlooked some of these basic security steps. If your serious about security, you must pay close attention to security details and leave no room for hackers.

    In the absence of network security, exists an opportunity for intrusion.

    Please write to me and let me know if this article has brought to light any potential weak links in your enterprise network.

    For more information:
    You can find over 100 security tips to protect your network today in Luis' new security book titled, "The Weakest Security Link Series," 1st edition 2003 available at Barnes and Noble. Visit my website for more information at www.medinasystems.com.

    Luis Medina is the author of "The Weakest Link Series," which offers network managers an opportunity to identify ongoing network security issues. Luis also answers security questions in our Ask-the-Expert section. Submit a security question to Luis here or view his previously answered Ask-the-Expert questions.

  • This was last published in February 2003

    Dig Deeper on Network Security Best Practices and Products

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchUnifiedCommunications

    SearchMobileComputing

    SearchDataCenter

    SearchITChannel

    Close