DCOM and anonymous access on XP/Vista

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi all,

I have a question regarding DCOM security settings on XP/Vista.
Say I have a DCOM server and want to configure it for anonymous
access. (Btw the server is already started and the problem is just about
access rights, not start/activation rights)

On Win2K it was enough to add the Everyone identity to the access
rights list via dcomcnfg and allow remote access.

Now I try to make this work with Vista on the client computer and
XP on the server computer. The order doesn't seem to matter, though.

The first thing I read was that Anonymous was no longer a member of
Everyone. Ok, I added Anonymous explicitly to the servers access rights
list but the client still gets and error "Interface XY not found". (This error
message is not very helpful and is generated by a third party client I use
for the tests).

Then I found a comment on the net that tells me to use dcomcnfg and
edit the system wide access "limits" to allow anonymous access and
boom! it works.

My problem is probably a misunderstanding of this "Edit limits" feature
introduced in WinXP. I thought that it was introduced to allow an
administrator to prevent certain users or groups from accessing DCOM
servers system wide. F.e. an administrator may want to disallow anonymous
access completely and independently of the servers individual settings.

So when talking about "limits" what does it mean when I use the "Edit limits"
button in dcomcnfg, add Anonymous to the list and allow it remote access?
Does this mean that now all DCOM servers on the system are forced to
allow anonymous access? Certainly something I didn't intend to do.

Moreover, after allowing anonymous access in the "limits" I can even disallow
anonymous access in the servers own DCOM settings but it is ignored!

Any ideas are very appreciated!

(Btw: firewalls, UAC were switched off in this test)

thanks,
Nicolas

.

Relevant Pages

  • [Full-Disclosure] Disabling DCOM: Ramifications?
    ... After some testing in the lab, I went ahead and disabled DCOM on all ... ; mapping drives and whatnot; login script ... I'll try them out in the lab... ... the servers still need to be rebooted. ...
    (Full-Disclosure)
  • Re: DCOM and anonymous access on XP/Vista
    ... I have a question regarding DCOM security settings on XP/Vista. ... rights list via dcomcnfg and allow remote access. ... I added Anonymous explicitly to the servers access rights ...
    (microsoft.public.win32.programmer.ole)
  • Re: DCOM Garbage collection problem (Suspected)
    ... 'orphaned' servers running if a network problem occurred) - COM ... The DCOM garbage collection works by pinging the client. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: DCOM Test
    ... software which communicates to secondary clients (such as DNS and ... mail servers) via DCOM. ... The sofware vendors agree this is a DCOM problem, ... I had a client with this problem just yesterday morning. ...
    (microsoft.public.windows.server.networking)
  • Re: Local Group Policy versus OU (Time Service)
    ... One way I'd skin this is, if those servers are all over your domain (i.e. ... I very rarely come across a lot of differences in policy btw the PDC role ... because they'll all have identical settings. ... > lot of Group Policy settings differently on your DC's and member servers ...
    (microsoft.public.windows.group_policy)