If you set it to no authentication required it allows network communication between DTC services to fall back to non-authenticated communication if a secure communication channel cannot be established. It basically means that any distributed transactions are vulnerable to MITM attacks as well as 3rd parties hammering your DTC server with requests as no authentication is required.
What are the risks of using the "No authentication required" transaction mode in the MSDTC security configuration?
In our environment we have two servers on two separate domains (one is in DMZ, other in internal network) and we need them to be able to use distributed transactions. The transactions would be initiated from the server on the internal network via linked server. The server on the DMZ would only be able to allow inbound transactions. It seems that the only way to do this is to configure the MSDTC with "no authentication required" , in addition to opening firewalls and modifying the net bios host file to create DNS entries on both servers. What are the security implications/risks if any of using the "no authentication required" transaction mode? Does this open up our internal network to potential attacks/vulnerabilities?
2 answers
Sort by: Most helpful
-
Ibrahim Olayiwola Abdulrahim 90 Reputation points
2023-07-24T00:06:15.1933333+00:00 -
Vahid Ghafarpour 22,445 Reputation points
2023-07-23T23:23:57.69+00:00 Without proper authentication, there is no guarantee that the transactions come from legitimate sources. This lack of trust can lead to data integrity and confidentiality issues if unauthorized parties can access or manipulate the data.