Microsoft security bulletin MS05-051 describes some security-related changes to Transaction Internet Protocol (TIP) functionality in Microsoft Distributed Transaction Coordinator (MS DTC). Security bulletin MS05-051 describes security update 902400. When you install security update 902400 in Microsoft Windows 2000, you disable TIP functionality. By default, TIP is disabled on computers that are running Microsoft Windows XP or Microsoft Windows Server 2003.
On computers that are running Windows XP or Windows Server 2003, or on computers that have security update 902400 installed, you can enable TIP by configuring a registry entry.
Security update 902400 also contains new registry entries to configure TIP functionality. This article describes how to configure MS DTC TIP functionality after you install security update 902400.
Before you modify the TIP-related registry settings that are described in this article, see security bulletin MS05-051 for information about the following issues:
- Vulnerabilities that the security bulletin addresses.
- Why TIP functionality is disabled by default.
- Recommended potential mitigation factors.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
MS05-051: Vulnerabilities in MS DTC and COM+ could allow remote code execution
How to enable TIP functionality after you install security update 902400Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
- Click Start, click Run, type regedit, and then click OK.
- Locate and then right-click the following registry subkey:
- Use the following information to set a value for the NetworkDtcAccessTip entry.
Note If the registry entry does not exist, the TIP protocol is disabled.
- 0 (default)
The TIP protocol is disabled. MS DTC does not listen on port 3372.
- A non-zero value
The TIP protocol is enabled. MS DTC listens on port 3372.
- This registry entry already exists on computers that are running Windows XP or Windows Server 2003 and that do not have security update 902400 installed. If a value for this key already exists, security update 902400 leaves the current value unchanged.
- In Windows XP and in Windows Server 2003, you must enable Network DTC Access to enable TIP support.
For more information about how to enable or disable Network DTC Access and other related MS DTC configuration options, click the following article number to view the article in the Microsoft Knowledge Base:
New functionality in the Distributed Transaction Coordinator service in Windows Server 2003 Service Pack 1 and in Windows XP Service Pack 2
- Quit Registry Editor.
- Stop and then restart the MS DTC service. To do this, follow these steps:
- At a command prompt, type net stop msdtc, and then press ENTER.
- Type net start msdtc, and then press ENTER.
How to configure TIP
If security update 902400 is installed and if TIP is enabled, you can configure TIP by modifying the following registry entries. These entries are located under the following registry subkey:
If the registry entry does not exist, the TIP protocol is disabled.
Collapse this tableExpand this table
|Entry ||Type|| Values||Comments|
Verify that the TmID in a TIP IDENTIFY command matches the IP address from which the command was sent. If the TmID does not match, reject the message.
value. Do not verify that the TmID in the TIP IDENTIFY command matches the IP address.
|When TIP IDENTIFY commands are received, MS DTC verifies that the TmID in the command matches the IP address from which the command was sent.
Verify that the TIP IDENTIFY command specifies port 3372. If the command does not specify port 3372, reject the message.|
A non-zero value.
Do not verify that the port that is specified in the TIP IDENTIFY command is 3372.
|The TIP protocol uses 3372 in most scenarios. If you have a topology where other ports are used, you can enable that functionality by setting this value to a non-zero value.|
|DisableTipBeginCheck ||REG_DWORD||0 (default).
TIP BEGIN commands are always rejected.|
A non-zero value. TIP BEGIN commands are enabled.
|In most TIP scenarios, transaction managers do not use the BEGIN command in communications. For example, MS DTC does not use this command. If you use TIP only with MS DTC and if you set this value to 0, you do not disable any functionality.|
In a TIP scenario where the BEGIN command must be used in a transaction manager communication, set this value to a non-zero value.
|DisableTipPassThruCheck||REG_DWORD ||0 (default).
This value disables a PULL command for a transaction that has not performed local work.
A non-zero value.
This value enables PULL commands for transactions that have not performed local work.
In most TIP scenarios, the TIP protocol is used to coordinate between MS DTC and another transaction managers. Therefore, some local activity, such as local application involvement, voter enlistments, or resource manager enlistments, occurs.
By default, or if this registry value is set to 0, MS DTC rejects PULL commands for transactions that have not performed any local work.
To enable modifications to these registry settings, stop and then restart the MS DTC service.
TIP is an Internet Engineering Task Force
(IETF) standard. For more information about TIP, visit the following IETF Web site: