This documentation is archived and is not being maintained.

Voice Response Application Security

Speech Server 2007

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release.

When you deploy an application using the Speech Server??Administrator console, the application's virtual directory is configured to allow access from accounts on localhost only. This security setting is appropriate for inbound applications. However, outbound applications might need to allow access from authenticated users on remote computers.

The appropriate permissions needed for an outbound application depends on how the application is activated and by whom. To activate a deployed outbound-calling application in Speech Server, the application accepts a trigger from the following mechanisms:

  • Other applications or users sending HTTP POST requests
  • Retrieving messages from the Microsoft Message Queuing (MSMQ) service

If the outbound-calling application is not securely configured, malicious users could access the application and trigger unwanted outbound-calling activity. To help prevent unwanted access to outbound-calling applications, take measures to ensure the security of the following application components:

  • The virtual directory of the application, specifically the MyApplication.speax file, should be securely configured to only allow access from the accounts of users permitted to initiate outbound-calling applications.
  • If using a separate application to initiate the outbound-calling application (such as the Outbound.aspx file in a managed code application), that application should be securely configured to allow access from trusted accounts on remote computers. However, MyApplication.speax should remain restricted to localhost accounts only.
  • MSMQ should be secured such that only Speech Server can peek and receive messages and only trusted accounts can send messages to it.

If it is necessary to allow access from a remote computer, you can use Internet Information Services (IIS) Manager to allow this access by doing the following:

  • Modify the IP address and domain name restrictions for the application virtual directory to allow access from the computers sending the POST requests. Confirm that the Enable Anonymous Access option is not activated.
  • Additionally, you can modify the application Web.config file with a list of trusted users to allow access. Integrated Windows Authentication (IWA) should be activated to check user credentials. For more information, see ASP.NET Authorization.
  • For applications that use MSMQ, see How to: Configure Message Queue Security.