Re: Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- From: "Brian Muth" <bmuth@xxxxxxxx>
- Date: Tue, 6 Feb 2007 09:20:18 -0800
"Enquiring Mind" <Enquiring.Mind@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OtCidLgSHHA.1552@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
MSDN web page http://msdn2.microsoft.com/en-us/library/ms679714.aspx
states in relation to "DCOM Security Enhancements in Windows XP Service
Pack 2 and Windows Server 2003 Service Pack 1 " that:
"The simplest way to think about these access controls is as an additional
AccessCheck call that is done against a computer-wide access control list
(ACL) on each call, activation, or launch of any COM server on the
computer. If the AccessCheck fails, the call, activation, or launch
request is denied. This is in addition to any AccessCheck that is run
against the server-specific ACLs."
If I understand this correctly, when a request for the launch of a COM
server or for access to one of its methods is received by Windows XP SP2 ,
DCOM applies the *most restrictive* security settings of those assigned to
the machine, and those assigned to the specific COM server. First the
machine-wide security is checked, and only if that is passed, is the
server security checked. Is that a correct interpretation?
Yes
The implication of this is that if I require to disable security for just
a single DCOM server installed on the computer, I must effectively disable
it for all servers on the same machine. This is because the security
settings applied to the specific server will not work unless settings that
are less than or equally restrictive are applied to the whole machine.
Thus if one wishes to instal a single server that does not require, for
sake of example, user authentication, one is forced to make all other
servers bypass user authentication. In many cases this reduces, rather
than enhances, security.
Yes, you need to lower both goal posts.
Or is there a way to make DCOM apply only the specific server security
settings if they are assigned, and neglect the machine-wide settings?
No
Another aspect that is not clear to me is whether the security settings on
the server machine uniquely determine how DCOM on the the server handles
security checks, or whether there is interaction between the the settings
on the server machine and the settings on the machine hosting the client.
If I have disabled user authentication on the server, must I disable it on
the client computer as well, thereby opening up a large security hole for
all servers installed on my client computer?
No. There is interaction between both settings, however. The server may say,
"I need to know who is accessing my DCOM server", and the client may say, "I
want to access the server's DCOM server but I don't want him to know who I
am". In this situation, authentication is denied.
In other words, the server sets the low water mark and the client sets the
high water mark. Only if the water marks intersect is authentication
granted.
The motivation for these queries is that I wish to install a DCOM server
and one or more client applications in a *Workgroup* network. My
understanding is that caller authentication is problematic in a workgroup
network due to the lack of a central user directory. Or can one computer
in the workgroup netwrok be configured to provide user registration and
authentication services for the whole network?
No, you can't.
Workgroup security is painful to set up and administer. That's why domain
controllers were invented in the first place.
HTH
Brian
.
- Follow-Ups:
- Re: Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- From: Enquiring Mind
- Re: Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- References:
- Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- From: Enquiring Mind
- Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- Prev by Date: Re: difference between STGFMT_DOCFILE and STGFMT_STORAGE
- Next by Date: Re: Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- Previous by thread: Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- Next by thread: Re: Queries regarding DCOM Security Enhancements in Windows XP Service Pack 2
- Index(es):
Relevant Pages
|
