Important Security Notes
This topic describes known security issues in Commerce Server and the steps you must take to mitigate the security risks.
Known Security Issues
- Catalog Security: Assign Business Desk Users to DB_Owner Role
- Site Packager: Delete the Unpack.vbs File
- Config COM+ Application: Remove Everyone from Web Users Role
- AuthFilter requires SQL Authentication to Administration Database
- Solution Sites AuthFiles Folder: Remove Directory
- Commerce Server Service Pack 1: Setting Access Security on Commerce Server Services
Catalog Security: Assign Business Desk Users to DB_Owner Role
To enable Business Desk users to edit catalogs (for example, edit a catalog definition, rebuild the catalog, refresh the full-text index, and publish the catalog), you must assign them to the db_owner role for the Catalog database. For instructions, see Deploying Commerce Server Using Windows Authentication.
Carefully consider the trustworthiness of the Business Desk user that you assign to the db_owner role. When assigning a Business Desk user to this role, you must consider the following security risk.
A Business Desk user assigned to the db_owner role could potentially delete a database. To mitigate this risk, you must place a firewall to prevent direct connection from the Business Desk client to the SQL Server database that contains the catalogs. This is the recommended secure configuration. For detailed instructions for deploying firewalls, see Deploying a Secure Site.
Site Packager: Delete the Unpack.vbs File
If you create an unpack.vbs file when you unpack an application to a remote Web server, you must delete the file immediately after unpacking the application.
The unpack.vbs file exists in the root directory, and can be accessed by anonymous users. Unauthorized use of this batch file could lead to denial of service or the breaking of site settings.
Config COM+ Application: Remove Everyone from Web Users Role
Although Commerce Server installs five COM+ applications, only the Config application, used to access the Administration database, uses assigned roles. These roles are:
Administrators. Accounts in this role use objects for writing to the Administration database. By default, the user logged on during Commerce Server setup is added to this role, and the local Administrators group is added.
Use this role to give system administrators permission to use Commerce Server Manager.
Web Users. Accounts in this role will have permissions to add a Web server to an application.
This role is designed to support the automatic additions of Web servers, for example, in a Web farm scenario: when the Commerce Server application first starts on the new Web server. For example, a user connects to the Web server, or gets load-balanced to it, and global.asa starts. The Web server is then added automatically to the Administration database. The function that updates the Administration database is JoinWebFarm, which is included with the Solution Sites.
By default, Everyone is added to this role. You must change this as follows:
- Remove Everyone.
- Add the Anonymous account (IUSR_<computername> is the default).
- Add the Launch IIS Process account (IWAM_<computername> is the default).
- Add the accounts of other users who will be allowed to connect to the site.
AuthFilter requires SQL Authentication to Administration Database
When you use AuthFilter in a distributed environment, you must change the connection string for the Administration database to SQL Authentication. You must change the connection string for the following reason:
The ISAPI filter (and hence AuthFilter) is running in the security context of the IIS process (inetinfo), known as LocalSystem. Therefore, AuthFilter tries to connect to the SQL Server on another computer, using credentials from LocalSystem, which are invalid; it does not have the rights to make connections across a network.
If the Administration database is local, the connection would work, but you should never locate the Administration database on the Web server.
Solution Sites AuthFiles Folder: Remove Directory
The Solution Sites include a folder called AuthFiles. You can use the files in this folder if you want to integrate AuthFilter into your site.
If you do not want to use AuthFilter, you must remove the AuthFiles directory or remove the permissions from the directory. If you do not, your site will be a security risk.
Commerce Server Service Pack 1: Setting Access Security on Commerce Server Services
After you have installed Commerce Server 2002 Service Pack 1, you can set access security on the Commerce Server List Manager service, Direct Mailer service, and Predictor service using the executable, Dcomcnfg.exe.
This procedure only applies to Commerce Server 2002 Service Pack 1. It is particularly important to run the executable if you are using opt-out lists.
For information about running Dcomcnfg.exe, see the Microsoft Knowledge Based article number Q328522.