แก้ไข

แชร์ผ่าน


Security Considerations for Message and Instance Data Tracking

For security reasons, message and service instance tracking does not use browsers or URLs as in previous releases of BizTalk Server. This monitoring option is included as a part of the Group Overview page in the BizTalk Server Administration Console. For backward compatibility, BizTalk Server still hosts Microsoft Internet Explorer inside a shell for security reasons.

By tracking message and service instance data, you can access the technical details necessary to troubleshoot and optimize your BizTalk Server environment. Because this tracking data is powerful, you should limit access to it in your production environment so that malicious or unauthorized users do not cause damage. It is recommended you follow these guidelines for securing and using the BizTalk Server Administration Console in your environment.

  • You must be logged on as a member of the BizTalk Server Operators group to view data using the BizTalk Server Administration Console. To access message bodies in the Group Overview section of the BizTalk Server Administration console, you must be logged on as a member of the BizTalk Server Administrators group.

    When you use message and service instance tracking, you can access the following databases:

    Database User Group/Permissions
    BizTalk Management (BizTalkMgmtDb) BizTalk Server Administrators, BizTalk Server Operators
    BizTalk MessageBox (BizTalkMsgBoxDb) BizTalk Server Administrators, BizTalk Server Operators, or read-write permissions
    BizTalk Tracking (BizTalkDTADb) BizTalk Server Administrators, BizTalk Server Operators, or read-only permissions
  • Message and service instance tracking generates reports about all hosts in the BizTalk Server environment based on the parameters of a query. To minimize the potential of information disclosure, only members of the BizTalk Server Administrators group can use the BizTalk Server Administration Console to execute these querries. However, if you do not want all BizTalk Server Administrators to have access to the data this tracking process produces, you can limit their access to the data by adding/removing users from the HM_EVENT_WRITER and BAM_EVENT_WRITER SQL Server roles in the BizTalk Tracking (BizTalkDTADb) database.

  • BizTalk uses the BAM_EVENT_WRITER and HM_EVENT_WRITER SQL Server roles to grant/deny their members permissions to read/write the tracking data in the Tracking database, but not through role membership. Do not remove these SQL Server roles. When you change a host from hosting to not hosting tracking (or vice versa), the adm_ChangeHostTrackingPrivilege stored procedure is called. This stored procedure reads the definition of the BAM_EVENT_WRITER and HM_EVENT_WRITER SQL Server roles and apply the corresponding GRANT/DENY statements to the Host Windows group. This achieves the same effect as adding the Host Windows group to these SQL roles.

  • When you configure the BizTalk Server Administration Console preferences to view data from an archived database, In this case the tracking queries connect to the databases that hold the archived data, not to the currently active BizTalk Tracking (BizTalkDTADb) database.

  • You cannot debug live orchestrations across Network Address Translation (NAT) firewalls. You must have an administration computer on the Processing domain in order to debug live orchestrations.

  • Depending on how you configure tracking and the pipelines, BizTalk Server may store sensitive information contained in the message context. If you use WMI or tracking to save message bodies to a file location, ensure that the location has a strong discretionary access control list (DACL) so that only BizTalk Server Administrators have read permissions to these message bodies. Apply the same DACL to any location you save the message bodies, including non-BizTalk databases where you may archive and restore them.

  • You must manually grant permissions to the BizTalk Server Administrators group to access the Tracking Analysis Server (BizTalkAnalysisDb) database; by default, only OLAP administrators have permissions to it.

See Also

Planning for Message and Instance Tracking
Viewing Tracked Message and Instance Data