次の方法で共有


What Are the Secure Deployment Requirements?

For the latest version of Commerce Server 2007 Help, see the Microsoft Web site.

Commerce Server uses many tools, such as Windows Integrated Security, Microsoft Internet Information Services (IIS), Windows Authorization Manager, SQL Server database role assignments, and Windows Component Services, to create and maintain a secure deployment. This topic provides an overview of the security elements that you create and associate within a Commerce Server deployment environment. Information is grouped as follows:

  • Authentication and Secure Access Requirements

  • Data Encryption

  • Optional Secure Deployment Tools and Tasks

Authentication and Secure Access Requirements

Authentication in Commerce Server involves validating user credentials for external site visitors, internal business users, and internal service accounts. Commerce Server uses a different authentication approach for each of these user segments. In all scenarios, users and services need access to the following types of site assets in the Web site application:

  • Web server resources such as pages, images, and other static files.

  • Database resources such as per-user, application-wide, or other forms of dynamic data.

  • Network resources such as remote file system resources and directory stores such as Active Directory.

In turn, the Web site application needs access to system resources such as the registry, event logs, and configuration files.

Review the following sections for a summary of the secure deployment methods that are used to support access by the different user segments:

  • External Access by Site Users

  • Internal Access by Business Users and Commerce Server Services

  • Authorization Role-Based Access

  • Database Role Mapping and the Trusted System Model

  • Windows Authentication and Windows Integrated Security

External Access by Site Users

First time visitors to the Web site, or non-registered users, can access the Web site through ASP.NET and the RunTimeUser account that you create.

The secure deployment requirements used to support anonymous user access to the Web site are as follows:

  • Two anonymous user identity accounts, both a data domain and a Web domain account, are defined in a production environment. The RunTimeUser account is an IIS account that Commerce Server uses to give anonymous users access to the Web site.

  • Controlled access to specific databases and the ability to read or write to the databases is controlled through SQL Server database login accounts and database user role mappings. To review the predefined database role mapping requirements, see What Are the Required Database Accounts and Database Role Mappings?

  • IIS application pool and IIS Worker Process Group assignments are made. Create an IIS application pool for the Web site and assign the anonymous user identity to the application pool and the IIS worker process group.

  • The anonymous user identity must be granted write permissions to the temporary ASP.NET and Windows temporary folders.

Commerce Server uses one of three authentication methods to identify and track users who register with the site:

  • Commerce Server membership provider, which integrates Commerce Server profiles with ASP.NET logon and registration controls.

  • AuthManager, which uses the AuthManager object to identify users and gather information that you use for user authentication.

  • AuthFilter ISAPI filter, which alters the default behavior of IIS and affects the handling of HTTP requests and responses.

ommerce Server membership provider, is the recommended method for supporting user authentication. Commerce Server supports AuthManager and AuthFilter methods, but are obsolete functions in Commerce Server 2007. For information about these methods, see Authentication Concepts and Tasks.

Aa545848.alert_caution(en-US,CS.70).gifImportant Note:

If you are upgrading an existing Commerce Server site to use with Commerce Server 2007 and you want to continue to use either AuthManager or AuthFilter, review the information provided in How to Restore AuthFilter Functioning.

Internal Access by Business Users and Commerce Server Services

Internal business users must have access to the Commerce Server Business Management applications. And, Commerce Server services must have access to various Commerce Server resources. Commerce Server implements two levels of granular security that address these areas.

The first level of security is implemented by using Windows Authorization Manager to define scopes, roles, tasks, and operations to manage access to the Catalog, Inventory, Marketing, Profiles, and Orders systems. Between four and ten security roles are defined per system.

The second level of security is implemented by mapping users to predefined database roles. This grants access to operations, not to resources, for the service identities. The back-end resource managers, such as databases, trust the application to authenticate users and grant access to the trusted service identity. For example, a database administrator might grant access exclusively to a specific human resource application, but not to individual users.

Business User Access to Business Management Applications

The following list summarizes the secure deployment requirements used to support business users access to Business Management applications, and these applications access to Web services. These deployment tasks are performed on the production server where the Commerce Server Web services are run. In an Enterprise deployment, this is the business management server.

  • Each business user is assigned a domain account.

  • Business management Windows or Active Directory groups are created according to your business needs. To review the set of predefined security roles, see What Are the Accounts and Groups to Create?

  • Each business user domain account is added to one or more business management group accounts.

  • You assign business management groups to one or more predefined authorization roles. For more information, see What Are the Minimum Authorization Roles to Assign?

  • Controlled access to specific databases and the ability to read or write to the databases is controlled through SQL Server database login accounts and database user role mappings. To review the predefined database role mapping requirements, see What Are the Required Database Accounts and Database Role Mappings?

  • IIS application pool and IIS worker process group assignments are made. You create an IIS application pool for each Web service and you assign the Web service account to its application pool and the IIS worker process group.

  • You must grant Web application service identities write permissions to the temporary ASP.NET and Windows temporary folders. To enable user access to the Catalog Web service, you must assign the Catalog Web service identity write permissions to the Catalog authorization role.

Commerce Server Services Access to Commerce Server Resources

In addition to Commerce Server Web services, you can run many additional services, such as the Direct Mailer, Staging, and Commerce Server adapters. The following summarizes the secure deployment requirements used to support these services access to Commerce Server resources:

In addition, several additional deployment tasks are required to enable specific services to access specific resources. The following table summarizes these tasks.

Commerce Server Service

Secure Deployment Requirements

Marketing Web service and Direct Mailer service

Grant the Marketing Web Service identity, MarketingWebSvc, access to the Direct Mailer service. For more information, see How to Grant the Marketing Web Service Access to the Direct Mailer Service.

Grant the Marketing Web Service identity access to the task scheduler. For more information, see How to Grant the Marketing Web Service Access to Schedule Tasks.

Commerce Server Staging

Grant the service group, CSS_SG, permission to replicate the Internet Information Services (IIS) metabase. For more information, see How to Configure Access to the IIS Metabase.

Commerce Server Adapters

Provide the service identity, CSLOB, access to Web services by assigning them to predefined authorization roles. For more information, see How to Set Authorization Roles for the BizTalk Adapters.

Commerce Server Health Monitoring

Provide the service identity, CSHealthMonitorSvc, access to Web services. For more information, see How to Set Authorization Roles for the Commerce Server Health Monitoring Service.

Data Warehouse

Provide the service identity, DTSImport, administrator rights on the Data Warehouse database server and ready permissions on the production site databases. For more information, see the following topics:

Grant read and write permissions to the DWRole you create on the Data Warehouse and Analytics server. For more information, see How to Grant Permissions on the Data Warehouse Server.

Authorization Role-Based Access

Commerce Server provides several predefined roles to which you assign business users so that they can perform specific tasks such as editing a catalog, creating a discount, and deleting an order. To restrict business users from performing all tasks, you assign them to specific roles such as the CatalogPropertyEditor role, where users can only manage individual catalog properties. By assigning user accounts or Windows groups to the administrator roles, such as MarketingAdministrator or OrdersAdministrator, these users can perform any operation associated with the corresponding Commerce Server system. For example, the MarketingAdministrator role lets users perform any operation in the Marketing System.

With role-based access control, you specify access control relative to the organizational structure of your company. You use Windows Authorization Manager to add individual users or user groups to a role. Before you assign business user access to the Authorization Manager roles, we recommend that you assign the business user to a Windows group, and then give the Windows group Authorization Manager permissions on the Web services.

Database Role Mapping and the Trusted System Model

To simplify authentication and eliminate the requirement of configuring database roles and permissions for each business user, Commerce Server uses the trusted system model. In this model, you configure database roles and permissions for groups of users according to user role, such as Catalog Editor or Marketing Manager, and then associate the individual business users with these user roles.

With this model, the Business Management server uses fixed identities to access the resources on the database server. The security context of the originating business user does not pass through the service at the operating-system level. The database trusts the Web server to authenticate users and to let only authenticated users access the database using the trusted identity.

The advantage of using the trusted system model is that users cannot access back-end data directly without using the application and being subjected to application authorization. Only the Web tier service account has access to the back-end resources. Additionally, you only have to configure access control lists (ACL) for the Web tier service account instead of for every individual user identity. The trusted system model also supports connection pooling. This enables multiple clients to reuse available, pooled connections because all back-end resource authentication assumes the security context of the service account, regardless of user identity.

The disadvantage of using the trusted system model is that an attacker who manages to compromise the Web tier has broad access to back-end resources because the back-end resources rely completely on the Web tier to authenticate users. The trusted system model also makes auditing difficult because the Web tier service account masks the originating user identities.

Windows Authentication and Windows Integrated Security

Commerce Server supports Windows Authentication to SQL Server. This is also known as Windows Integrated Security. We recommend that you use Windows authentication for a Commerce Server installation. With Windows authentication, Windows Server uses Windows user accounts to authenticate to SQL Server. Commerce Server sets a tag in the connection string that tells the SQL Server to use Windows authentication when checking the security context of the user trying to access a given database.

When you use Windows Authentication, user names and passwords are not stored in the SQL Server connection string, and are not changed when the SQL Server password is reset.

Data Encryption

In an e-commerce site, you process sensitive information, such as customer credit card numbers and user profile information. Commerce Server uses these two methods to encrypt data to protect this information:

Optional Secure Deployment Tools and Tasks

The following secure deployment tools and tasks are optional:

See Also

Other Resources

Securing Your Network with Firewalls and Ports

Securing Your Network with an ISA Server

Configuring the Business Management Server

Configuring the Web Servers

Configuring the Staging Server

Securing the Deployment