Re: DCOM and anonymous access on XP/Vista


"nicolasr" <nicolasrREMOVETHISSPAMBLOCKER@xxxxxxx> wrote in message news:OJ5o6DgaIHA.4172@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

I have a question regarding DCOM security settings on XP/Vista.
Say I have a DCOM server and want to configure it for anonymous
access. (Btw the server is already started and the problem is just about
access rights, not start/activation rights)

On Win2K it was enough to add the Everyone identity to the access
rights list via dcomcnfg and allow remote access.

Now I try to make this work with Vista on the client computer and
XP on the server computer. The order doesn't seem to matter, though.

The first thing I read was that Anonymous was no longer a member of
Everyone. Ok, I added Anonymous explicitly to the servers access rights
list but the client still gets and error "Interface XY not found". (This error
message is not very helpful and is generated by a third party client I use
for the tests).

Then I found a comment on the net that tells me to use dcomcnfg and
edit the system wide access "limits" to allow anonymous access and
boom! it works.

My problem is probably a misunderstanding of this "Edit limits" feature
introduced in WinXP. I thought that it was introduced to allow an
administrator to prevent certain users or groups from accessing DCOM
servers system wide. F.e. an administrator may want to disallow anonymous
access completely and independently of the servers individual settings.

So when talking about "limits" what does it mean when I use the "Edit limits"
button in dcomcnfg, add Anonymous to the list and allow it remote access?
Does this mean that now all DCOM servers on the system are forced to
allow anonymous access? Certainly something I didn't intend to do.


Welcome to the complex world of DCOM security ;-).

Think of it as two separate gateways. The global "Edit limits" was added in WinXP SP2 and Win2003 SP1 (IIRC) as a means of clamping down access across all DCOM objects, without the tedium of editing the DCOMCNFG configuration settings of each individual object. So, to allow anonymous access, you need to alter the settings on both gateways.

Moreover, after allowing anonymous access in the "limits" I can even disallow
anonymous access in the servers own DCOM settings but it is ignored!

Indeed this is a surprise to me. Are you sure?

See if the information here is enlightening: http://technet.microsoft.com/en-ca/library/bb457156.aspx#EIAA

Brian


.