Re: DCOM security in Windows Server 2003 SP1

Hi Hong,

Launch permission is necessary to start a COM server, and activation
permission is required to create an object in an already running server.


Does this mean that activation is inevitable for a client to access an
COM object?

I think so, yes, unless someone else creates the instance and passes it to the client.

I'd just thought I'd comment here: this sounds like DCOM Limits in XP
SP2, it's unfortunate that they chose a different name for it in the
server edition if it's indeed the same thing.


You are right. In Component Service, the settings of this
"computerwide" restrinction is done through "Edit Limits..." button in
W2K3 SP1.


Thanks for confirming that, I'm glad the configuration UI is the same.

Do you mean that in my client program, I have to activate the remote
DCOM by one account (through setting CoIntializeSecurity() or set
COAUTHINFO in COSERVERINFO in CoCreateInstanceEx()) with special
activation privilege, for example, a domain account in the newly
created build-in group "Distributed DCOM user", and switch back to the
identity that runs the client program after the activation? Ugly.

Yeah, it doesn't sound too great. But then, you're trying to circumvent security obstacles here, it's bound to get ugly :-)

We made the DCOM and client programs. I don't think our customer would
like to grand remote activation permission to "Everyone" in the
computerwide restrictions or DCOM limits whatever it is called, just
because our client program fails.

Well, the limits are just that -- a minimum of what's necessary to run all DCOM applications on a machine. If your clients have one DCOM application (i.e. yours) that require remote activation, they need to allow it for the machine.

Note that this won't affect other DCOM servers on the machine, unless they also grant the remote activation permission for the server, or rely on DCOM default permissions that allow it.

Maybe you can tighten the requirement from Everyone to something a little less ubiquitous? Any chance you can create a new domain group called 'My app users' that you can allow DCOM access to the server machine, and make all client users part of that group? It's a deployment nightmare, take it from me, but I'm just throwing out ideas...

--
Best regards,
Kim Gräsman


.