RE: DCOM Security and XPSP2 - long post

"Walter Wang [MSFT]" wrote:

Hi Steve,

1. If the server is already running on PCABC, does the fact that
non-admins
don't have launch/activate prevent them from connecting to and calling into
the existing server (I don't think it should, but...) ?

Yes. Launch / Activate include Activate, so the client call to
CoCreateInstance() will fail, even if the server is already running. If the
client gets hold of a com interface pointer in some other way (for example
handed through a method call by some other client - unlikely to happen
though) then this limitation does not apply.


2. Are there security policy settings that might affect stuff like this
behind the scenes (ie logon as batch is one I'm aware of) ?


Yes. DCOM security is one hurdle to pass, but there are others to pass in
order to get everything working. I am not aware of any of them specifically
introduced by the DCOM Security Enhancements, though.


3. I assume that in the absence of CoInitializeSecurity and AppID settings,
the machine default settings will still apply (along with the limits)?


Yes.


4. Do Windows 2003 / Vista behave any differently to the XPSP2 model?


The security enhancements of XP SP2 are in W2K3 from SP1 and in Vista from
RTM. In Vista there are additional limitations deriving from UAC.


Hope this helps.

Regards,
Walter Wang (wawang@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support

Thanks for that. In the scenario above, we therefore need to grant the
Activation in the Limits to (in this case) a specific group. Since the server
will be running, we won't need launch access.

Supplementary question:
Do we grant need to grant Remote Activation on (a) the server, (b) the
client or (c) both? Obviously, we want to minimize the reduction in security
as far as possible.

Steve S
.

Relevant Pages

  • Re: Privileges needed to instantiate COM objects
    ... Default" button under "Launch and Activation Permissions". ... John Saunders | MVP - Windows Server System - Connected System Developer ... Now, regarding the licensing, which is a concern, indeed. ... Client starts the winforms app and logs in. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Remote launch fails with E_ACCESSDENIED
    ... If I replace my EXE with a copy of Notepad.exe, it also fails to launch ... I am not sure what details of my DCOM server are relevant. ... client - look out for word wrap! ...
    (microsoft.public.win32.programmer.ole)
  • Re: Privileges needed to instantiate COM objects
    ... Default" button under "Launch and Activation Permissions". ... John Saunders | MVP - Windows Server System - Connected System Developer ... Now, regarding the licensing, which is a concern, indeed. ... Client starts the winforms app and logs in. ...
    (microsoft.public.dotnet.framework.webservices)
  • How to get permission to launch application to remote machine with DCOM ?
    ... I want launch EXE-COM server on remote machine with DCOM ... DCOM reports "Access denied" on message box on client and in Event Viewer I ...
    (microsoft.public.win2000.security)
  • Granting IP Addresses in IIS
    ... Running Windows 2000 Server. ... I need to grant IP addresses ... client now has a IP range, and quite a few of them - I ...
    (microsoft.public.inetserver.iis.security)