Application Center Security | Microsoft Application Center 2000 Resource Kit 2001

Although the Application Center features implement a variety of security mechanisms, such as privileged inter-process communications and encryption, Application Center itself does not implement security mechanisms via its user interface. However, the product design is such that security is implemented at all levels, from the individual driver level up to the level of the Application Center snap-in. This section summarizes how the Application Center design minimizes potential security weaknesses. Feature-specific security is covered in detail in the chapter that documents each particular feature.

User Accounts

As documented in Chapter 4, "Cluster Services," Application Center uses its own group and user accounts for cluster activities. The Windows 2000 local account, IUSR_machinename, which IIS uses, is not used by Application Center.

CAUTION
We recommend that you do not change the setting for the anonymous access account for IIS on a cluster after adding members. Changing this setting can cause authentication failures. If you do want to implement this change, refer to "Managing User Accounts" in the Application Center online Help to see how to do this correctly.

User Credentials

Specific credentials are required to use Application Center. These credentials are as follows:

An Administrators account (local or domain) is required to open the Application Center user interface.
To manage a cluster, you require an Administrators account (local or domain) that exists on the cluster members that you want to manage (usually a cluster controller and cluster member pair). If the account is local, the same password is required for both members.
When deploying applications, you require one set of credentials (with administrative privileges) for the source server, a second set of credentials for the targets, and if you're using a stager, a third set of credentials for the controller that can be used with the deployment wizard to deploy from cluster to cluster.
In order to remove a cluster member or disband a cluster, you have to provide credentials with administrative privileges on the target.
TIP
For simplicity, use one domain account with administrative privileges across a cluster. Use a separate, local Administrators account for remote administration to implement tighter security.

File Systems

Although Application Center supports all three file systems formats (FAT, FAT32, and NTFS), we recommend that you use NTFS to implement the highest possible level of file system security. For more information about NTFS file system security, refer to the following topics in the Application Center online Help:

"Security During Synchronization"
"Set ACLs on Virtual Directories"

Network Adapters

The two-card configuration that Application Center uses effectively segregates inbound client traffic—carried on the front-end adapter—from internal cluster administrative communications, which is handled by the back-end adapter. It is very important to secure the back-end because of the possibility of attacks against the internal administrative protocols and interfaces that Application Center uses.

NOTE
In a cluster that does not use Network Load Balancing (NLB), only one network adapter is required. However, a single network adapter configuration introduces the risk of inappropriate data usage since all the network traffic is routed through the same network adapter. This can present a security risk if your cluster is serving content to Internet clients. Because Application Center will use a second network adapter if it is present, you should consider this configuration option.

Health Monitor and WMI

Any authenticated user can read the Application Center and Microsoft Health Monitor 2.1 namespaces, but only an administrator and the cluster user group account, ACA_servername, can write to these namespaces, which is to say, create an instance of existing classes or create new classes.

On the Windows 2000 operating system, Windows Management Instrumentation (WMI) does not distinguish between local and remote access. Remote connection to a given WMI namespace is a separate user right that might or might not be granted by the system administrator.

WARNING
A user who is gaining access to a cluster over a remote connection can specify a user name and password as a substitute for their current user name and password. If the name that they provide is authenticated, they can gain access to the target namespace. In order to control access to a namespace, you have to implement user rights.

Monitoring

Whenever you use Health Monitor to create an HTTP monitor that uses authentication, all of the authentication information is stored in the WMI repository. Because this information is readable by all users, you should only use low-privileged test accounts for cluster monitoring.

Logging

Application Center logging uses integrated security, with Read/Write access granted to the Application Center administrative group ACA_servername and the server's Administrators group.

The Application Center Events and Performance Logging database runs as a named instance which allows multiple copies of SQL Server 2000 to run on the same server. This architecture, coupled with the fact that Application Center uses a different port number, isolates the monitoring database from conventional installations of SQL Server.

Remote Control

Application Center disables remote control of NLB clusters by default. If you enable remote control, you should use a firewall for the NLB User Datagram Protocol (UDP) ports that receive remote control commands. These ports are 1717 and 2504 at the cluster IP address.

NOTE
Application Center does not support synchronization of the NLB remote-control password. You have to configure the NLB remote-control password on each cluster member.