Geeks With Blogs

News View Michael Stephenson's profile on BizTalk Blog Doc View Michael Stephenson's profile on LinkedIn
Michael Stephenson keeping your feet on premise while your heads in the cloud
Name:
Everything runs as the same user
 
Description:
This situation exists on some of the test environments at a project I have been working on.  Basically all of the BizTalk hosts and IIS application pools are configured to run as the same user account because it is easier to setup.
This is especially common for development and testing environments.  I came across the situation on this particular project where the user account had become locked out and as result testers on three different environments were experiencing errors when their application interacted with a BizTalk orchestration that was exposed as a web service.
Symptoms:
  1. The environment setup is probably not scripted which is why things are done manually
  2. Everything runs as the same user
  3. Sometimes the same user is used on multiple environments

 

Pain:
  1. The main pain is that if the user becomes locked then all environments can be affected.
  2. This is not a security best practice so the system is more vulnerable to in particular elevation of priveledge attacks. 
  3. It can be really difficult to locate the process which is causing the account to become locked.  In the example here it was an IIS application pool which does not validate the password when you enter it for the identity it is instead done when the application pool is loaded.  This means that spotting which application pool was the cause can be tricky.  In this example combine that with the fact that it could be on any of the 3 environments.
Cure:
  1. Treat the user accounts under which processes will run as a core part of the configuration and setup of the environment.
  2. Dont have just one account, refer to the BizTalk documentation for guidance
  3. Script the setup of your environments so mistakes will not be made
Comments:
 

 

Disclaimer

I have noticed a few sites that seem to copy the content of blog articles and display them in their own site.  It is a bit annoying that they do not clearly reference or acknowledge the author so I have decided to put this note on the bottom of all of my posts from now so it is clear who wrote it.

This article was written by: Michael Stephenson

The source of this article is: http://www.geekswithblogs.net/michaelstephenson

Posted on Tuesday, December 4, 2007 11:19 PM BizTalk | Back to top


Comments on this post: BizTalk Anti Pattern: Everything runs as the same user

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Michael Stephenson | Powered by: GeeksWithBlogs.net