What are the risks of using the "No authentication required" transaction mode in the MSDTC security configuration?

anunes 6 Reputation points
2021-05-24T20:55:53.457+00:00

In our environment we have two servers on two separate domains (one is in DMZ, other in internal network) and we need them to be able to use distributed transactions. The transactions would be initiated from the server on the internal network via linked server. The server on the DMZ would only be able to allow inbound transactions. It seems that the only way to do this is to configure the MSDTC with "no authentication required" , in addition to opening firewalls and modifying the net bios host file to create DNS entries on both servers. What are the security implications/risks if any of using the "no authentication required" transaction mode? Does this open up our internal network to potential attacks/vulnerabilities?

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,490 questions
Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,737 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. Ibrahim Olayiwola Abdulrahim 90 Reputation points
    2023-07-24T00:06:15.1933333+00:00

    If you set it to no authentication required it allows network communication between DTC services to fall back to non-authenticated communication if a secure communication channel cannot be established. It basically means that any distributed transactions are vulnerable to MITM attacks as well as 3rd parties hammering your DTC server with requests as no authentication is required.

    1 person found this answer helpful.
    0 comments No comments

  2. Vahid Ghafarpour 22,445 Reputation points
    2023-07-23T23:23:57.69+00:00

    Without proper authentication, there is no guarantee that the transactions come from legitimate sources. This lack of trust can lead to data integrity and confidentiality issues if unauthorized parties can access or manipulate the data.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.