Distributed Transaction Coordinator In Windows Server 2003

What does Distributed Transaction Coordinator do?
The Distributed Transaction Coordinator (DTC) servicecoordinates transactions that updatetwo or moretransaction-protected
resources, such as databases, message queues, files systems,and so on.Thesetransaction-protected resources may be on a
singlecomputer or distributed across many networked computers.
Who does this feature apply to?
Users of any computers that participatein DTC transactions,either directly or through other computers.
System administrators of networks that use DTC components to perform transactions across networks.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Securing all network communication by default
Detailed description
In Windows Server 2003 Service Pack 1, DTC provides theadministrator with greater control over the network communication
between computers. By default,all network communication is disabled.
In order to manipulatethecommunication settings, the DTC security settings properties page has been enhanced.To seethe
page, usethefollowing procedure:
To open the DTC security settings properties page
1. Open the Component Services snap-in Microsoft Management Console(MMC).
2. In theconsoletree,click the Computers folder.
3. In theresults pane, right click My Computerand then click Properties.
4. Click the MSDTC tab,and then click Security Configuration.
Thetable below defines the new fields in the property page,along with theregistry keys affected for the different settings. All
theregistry keys related to MSDTC arelocated in thefollowing registry key:
MyComputer\HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC
Caution
Incorrectly editing theregistry may severely damageyour system. Before making changes to theregistry,you should back
up any valued data on thecomputer.Theseregistry keys might not besupported in futurereleases.
Thefollowing tabletells you whereto find the MSDTC key specific values.
Setting Description Corresponding registry value
Network DTC
Access
Determines whether DTC on thelocal computer is allowed to access
the network.This setting must beenabled in combination with one
of the other settings to enable network DTC transactions.
Default setting: Off
Security\NetworkDtcAccess
0 = Off
1 = On
Allow inbound Allows a distributed transaction that originates from a remote
computer to run on this computer.
Default setting: Off
To enablethis setting you must set the
following registry key values to 1:
Security\NetworkDtcAccess
Security\NetworkDtcAccessTransactions
Security\NetworkDtcAccessInbound
To disablethis setting,you only need to
set thefollowing registry key valueto 0:
Security\NetworkDtcAccessInbound
Allow
Outbound
Allows thelocal computer to initiatea transaction and run it on a
remotecomputer.
To enablethis setting,you need to set the
following registry key values to 1:
Security\NetworkDtcAccess
Security\NetworkDtcAccessTransactions
Security\NetworkDtcAccessOutbound
To disablethis setting,you only need to
set thefollowing registry key valueto 0:
Security\NetworkDtcAccessOutbound
Mutual
Authentication
Required
Adds support for mutual authentication in futureversions and is the
highest secured communication mode. In thecurrentversions of
Windows and Windows Server, it is functionally equivalent to the
Incoming Caller Authentication Required setting.This is the
recommended transaction modefor clients running Windows XP
SP2 and servers running a member of the Windows Server 2003
family.
Warning
You cannot usethe Mutual Authentication Required
transaction mode with computers thatarein a clustered
environment, or any computers thatare negotiating transactions
with such computers. In that context,you can usetheIncoming
Caller Authentication Required transaction modeinstead. In a
clustered environment, thecomputer account for the Distributed
Transaction Coordinator servicespecifies thecluster node’s host
nameinstead of thetransaction node’s host name, which prevents
theauthentication request from succeeding when the Mutual
Authentication Required transaction modeis enabled.
AllowOnlySecureRpcCalls = 1
FallbackToUnsecureRPCIfNecessary = 0
TurnOffRpcSecurity = 0
Incoming
Caller
Authentication
Required
Requires thelocal DTC to communicate with a remote DTC using
only encrypted messages and mutual authentication.This setting is
recommended for servers running Windows Server 2003 thatare
operating in a cluster.
Only Windows Server 2003 and Windows XP SP2 support this
feature, so you should only usethis if you know that the DTC on the
remotecomputer runs either the Windows Server 2003 or
Windows XP SP2 operating system.
AllowOnlySecureRpcCalls = 0
FallbackToUnsecureRPCIfNecessary = 1
TurnOffRpcSecurity = 0
No
Authentication
Required
Provides system compatibility between previous versions of the
Windows operating system.When enabled,communication on the
network between DTCs can fall back to a non-authentication or
non-encrypted communication if a securecommunication channel
cannot beestablished.This setting should be used if the DTC on the
remotecomputer runs a Windows 2000 operating system or a
Windows XP operating system earlier than SP2.This setting is also
useful when the DTCs thatareinvolved arelocated on computers
thatarein domains that do not havean established trust
relationship or if thecomputers are part of a Windows workgroup.
AllowOnlySecureRpcCalls = 0
FallbackToUnsecureRPCIfNecessary = 0
TurnOffRpcSecurity = 1
Why is this change important? What threats does it help mitigate?
Thesechanges areimportant in order to secureany communication coming into or going out from thecomputer. By default,
after installing Windows Server 2003 Service Pack 1, thecomputer will notaccept or issueany network trafficand therefore
will beless vulnerableto network attacks.
Additionally, the online network protocol has been upgraded to supporta moresecurely encrypted and mutually authenticated
communication mode.This helps to ensurethatattackers can not intercept or take over communications between DTCs.
What works differently?
After installing Windows Server 2003 Service Pack 1,all network communication coming out of or getting into DTC is disabled.
For example, if a COM+ objectattempts to updateaSQL database on a remotecomputer using a DTC transaction, the
transaction fails. Conversely, if your computer is hosting aSQL databasethat components from remotecomputers try to
access using a DTC transaction, their transactions fail.
How do I fix these issues?
If your transactions fail because of network connectivity,you can use MSDTC security properties,as described previously in
this document, select the Network DTC Access check box,and then select the Allow Inbound and Allow Outbound check
boxes,as appropriate.
If you want to changethesesetting programmatically as part of your Windows Server 2003 Service Pack 1 deployment,you
can directly changetheregistry values that correspond to your desired setting as described in thetablein “Securing all
network communication by default,” earlier in this document. After you havechanged theregistry settings,you must restart
the MSDTC service.
If you are using Windows Firewall to protect thecomputers in your organization,you mustadd MSDTC into theexception list
in the Windows Firewall settings.To do so, usethefollowing steps:
1. In Control Panel, open Windows Firewall.
2. Click theExceptions tab,and then click Add Program.
3. Click Browse,and then add c:\windows\system32\msdtc.exe.
4. In Programs and Services, select the Msdtc.exe check box,and then click OK.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Setting name Location Previous
default value
Default
value
Possible
values
NetworkDtcAccess HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC \Security
1 0 0,1
NetwordDtcAccessTransactions HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC \Security
1 0 0,1
NetworkDtcAccessInbound HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC \Security
n/a 0 0,1
NetworkDtcAccessOutbound HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC \Security
n/a 0 0,1
AllowOnlySecureRpcCalls HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC
n/a 1 0,1
FallbackToUnsecureRPCIfNecessary HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC
n/a 0 0,1
TurnOffRpcSecurity HKEY_LOCAL_MACHINE \SOFTWARE
\Microsoft \MSDTC
n/a 0 0,1