 |
|
 |
|
|
 |
Security requirements for deployment of assemblies |
 |
 |
|
|
12-08-04 10:51 PM
Hello,
I understand that the deployment of assemblies into the GAC requires Windows
Administrator (or Power User) privileges.
In this case the BizTalk Administrator would either have to ask to Windows
Administrator to deploy the assembly or (after adding the BTS admin to th
e
admin group) would end up having all the administrative privileges.
Is there some workaround, that i.e. a BizTalk Administrator can deploy the
assemblies ?
Regards
Erich
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
RE: Security requirements for deployment of assemblies |
|
|
|
|
12-18-04 01:46 AM
Hi Erich,
You must be a BizTalk Admin to deploy assemblies to the Configuration
Database. But as you've noted, this is not enough to deploy assemblies to
the GAC. This is because, by default, only the Administrators and Power
Users groups have write permission to the \Windows (or \Winnt) folder.
One option is to give the individual user who will perform the GACing write
permission to the \Windows installation folder. But I would not recommend
giving the whole BizTalk Admin group this option.
Better yet, I would follow the advice of "Security Recommendations for a
BizTalk Server Deployment", available online at:
http://msdn.microsoft.com/library/d...-us/deploying/h
tm/ebiz_depl_secure_ajnv.asp
This advocates using different accounts for different functions and using
accounts with the minimum permissions and user rights needed to get the job
done. Create an account *solely* for deployment and make it both a Power
User and a BizTalk Admin.
There's further discussion within the "Assembly Deployment User Roles"
article in our documentation, available online at:
http://msdn.microsoft.com/library/d...-us/deploying/h
tm/ebiz_depl_assemblies_yhgt.asp
HTH,
Doug Girard [MSFT]
Note: This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
>Thread-Topic: Security requirements for deployment of assemblies
>thread-index: AcTde8DM9FtXwtr7RmeB/JZW/vvPSg==
>X-WBNR-Posting-Host: 217.234.133.150
>From: examnotes <ErichA@discussions.microsoft.com>
>Subject: Security requirements for deployment of assemblies
>Date: Wed, 8 Dec 2004 15:15:05 -0800
>Lines: 15
>Message-ID: <22F9CB89-2B98-4AE4-AADA-EA4D431A41BD@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.biztalk.general
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.general:22368
>X-Tomcat-NG: microsoft.public.biztalk.general
>
>Hello,
>
>I understand that the deployment of assemblies into the GAC requires
Windows
>Administrator (or Power User) privileges.
>
>In this case the BizTalk Administrator would either have to ask to Windows
>Administrator to deploy the assembly or (after adding the BTS admin to
the
>admin group) would end up having all the administrative privileges.
>
>Is there some workaround, that i.e. a BizTalk Administrator can deploy the
>assemblies ?
>
>Regards
>Erich
>
>
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
RE: Security requirements for deployment of assemblies |
|
|
|
|
12-20-04 10:48 PM
Hi Erich,
You must be a BizTalk Admin to deploy assemblies to the Configuration
Database. But as you've noted, this is not enough to deploy assemblies to
the GAC. This is because, by default, only the Administrators and Power
Users groups have write permission to the \Windows (or \Winnt) folder.
One option is to give the individual user who will perform the GACing write
permission to the \Windows installation folder. But I would not recommend
giving the whole BizTalk Admin group this option.
Better yet, I would follow the advise of "Security Recommendations for a
BizTalk Server Deployment", available online at:
http://msdn.microsoft.com/library/d...-us/deploying/h
tm/ebiz_depl_secure_ajnv.asp
This advocates using different accounts for different functions and using
accounts with the minimum permissions and user rights needed to get the job
done. Create an account *solely* for deployment and make it both a Power
User and a BizTalk Admin.
There's further discussion within the "Assembly Deployment User Roles"
article in our documentation, available online at:
http://msdn.microsoft.com/library/d...-us/deploying/h
tm/ebiz_depl_assemblies_yhgt.asp
HTH,
Doug Girard [MSFT]
Note: This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
>Thread-Topic: Security requirements for deployment of assemblies
>thread-index: AcTde8DM9FtXwtr7RmeB/JZW/vvPSg==
>X-WBNR-Posting-Host: 217.234.133.150
>From: examnotes <ErichA@discussions.microsoft.com>
>Subject: Security requirements for deployment of assemblies
>Date: Wed, 8 Dec 2004 15:15:05 -0800
>Lines: 15
>Message-ID: <22F9CB89-2B98-4AE4-AADA-EA4D431A41BD@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.biztalk.general
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.general:22368
>X-Tomcat-NG: microsoft.public.biztalk.general
>
>Hello,
>
>I understand that the deployment of assemblies into the GAC requires
Windows
>Administrator (or Power User) privileges.
>
>In this case the BizTalk Administrator would either have to ask to Windows
>Administrator to deploy the assembly or (after adding the BTS admin to
the
>admin group) would end up having all the administrative privileges.
>
>Is there some workaround, that i.e. a BizTalk Administrator can deploy the
>assemblies ?
>
>Regards
>Erich
>
>
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
RE: Security requirements for deployment of assemblies |
|
|
|
|
12-20-04 10:48 PM
Hello Doug,
This is what I thought, but will be hard / not possible to implement for us.
We are running in a datacenter environment, and power user/admin rights are
not handed out for "application support" guys.
I did see in the BTSconfig file (see text below) some entries, which might
help me. I don't require that the assemblies are really in the GAC, the
system should just be able to locate the assemblies. And these directories
could be secured similar to your suggestion.
Do you have documentation for the (copied) entries?? Could this be a
solution?
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="BizTalk Assemblies;Developer
Tools;Tracking;Tracking\interop" />
</assemblyBinding>
</runtime>
""Doug Girard [MSFT]"" wrote:
> Hi Erich,
>
> You must be a BizTalk Admin to deploy assemblies to the Configuration
> Database. But as you've noted, this is not enough to deploy assemblies to
> the GAC. This is because, by default, only the Administrators and Power
> Users groups have write permission to the \Windows (or \Winnt) folder.
>
> One option is to give the individual user who will perform the GACing writ
e
> permission to the \Windows installation folder. But I would not recommend
> giving the whole BizTalk Admin group this option.
>
> Better yet, I would follow the advise of "Security Recommendations for a
> BizTalk Server Deployment", available online at:
> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/deploying/h[/ur
l]
> tm/ebiz_depl_secure_ajnv.asp
> This advocates using different accounts for different functions and using
> accounts with the minimum permissions and user rights needed to get the jo
b
> done. Create an account *solely* for deployment and make it both a Power
> User and a BizTalk Admin.
>
> There's further discussion within the "Assembly Deployment User Roles"
> article in our documentation, available online at:
> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/deploying/h[/ur
l]
> tm/ebiz_depl_assemblies_yhgt.asp
>
> HTH,
> Doug Girard [MSFT]
>
> Note: This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> Windows
> the
>
>
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
RE: Security requirements for deployment of assemblies |
|
|
|
|
12-22-04 10:52 PM
Erich,
For BizTalk Server 2004, we require that BizTalk assemblies be GAC'd and
don't support placing assemblies elsewhere. If you can't be handed out
Administator/Power User privileges for your processing servers, maybe the
other alternative will work for you -- providing a user write access to the
appropriate Windows directories to allow GACing.
HTH,
Doug Girard [MSFT]
Note: This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
>Thread-Topic: Security requirements for deployment of assemblies
>thread-index: AcTm1wSXI4asXi/XTsCRZfNll5pc/A==
>X-WBNR-Posting-Host: 217.234.132.33
>From: examnotes <ErichA@discussions.microsoft.com>
>References: <22F9CB89-2B98-4AE4-AADA-EA4D431A41BD@microsoft.com>
<EiZ7Ler5EHA.3152@cpmsftngxa10.phx.gbl>
>Subject: RE: Security requirements for deployment of assemblies
>Date: Mon, 20 Dec 2004 13:01:04 -0800
>Lines: 99
>Message-ID: <E648B283-DB95-4983-8123-8B2B1A898501@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.biztalk.general
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.biztalk.general:22752
>X-Tomcat-NG: microsoft.public.biztalk.general
>
>Hello Doug,
>This is what I thought, but will be hard / not possible to implement for
us.
>We are running in a datacenter environment, and power user/admin rights
are
>not handed out for "application support" guys.
>
>I did see in the BTSconfig file (see text below) some entries, which might
>help me. I don't require that the assemblies are really in the GAC, the
>system should just be able to locate the assemblies. And these directories
>could be secured similar to your suggestion.
>
>Do you have documentation for the (copied) entries?? Could this be a
>solution?
>
>
> <runtime>
> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
> <probing privatePath="BizTalk Assemblies;Developer
>Tools;Tracking;Tracking\interop" />
> </assemblyBinding>
> </runtime>
>
>
>""Doug Girard [MSFT]"" wrote:
>
to[vbcol=seagreen]
write[vbcol=seagreen]
recommend[vbcol=seagreen]
http://msdn.microsoft.com/library/d...-us/deploying/h[vbcol=seagreen]
using[vbcol=seagreen]
job[vbcol=seagreen]
Power[vbcol=seagreen]
http://msdn.microsoft.com/library/d...-us/deploying/h[vbcol=seagreen]
no[vbcol=seagreen]
Windows[vbcol=seagreen]
to[vbcol=seagreen]
the[vbcol=seagreen]
>
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 12:14 PM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
Medical and Health forum | Computer Games Reviews | Graphics design forum
|
 |
|
 |
|
