RE: dcom permissions and vista?

Hi,
I understand that you encountered the DCOM local activation permission
issue on Vista; however your application worked fine on Windows XP.
If I have misunderstood, please let me know.

I would like to know if you run dcomcnfg.exe to explicitly to configure the
user BLAH with Local Activation and Local Launch permissions.

Windows Vista indeed do some changes in handling DCOM and you may need to
program to implement the permission. I recommend that you refer to the
section "COM Permissions and Mandatory Access Labels" of this article:
The COM Elevation Moniker
http://msdn2.microsoft.com/en-us/library/ms679687.aspx

For your convenience, I extract it here:
===================================
Windows Vista introduces the notion of Mandatory Access Labels in security
descriptors. The label dictates whether clients can get execute access to a
COM object. The label is specified in the system access control list (SACL)
portion of the security descriptor. In Windows Vista, COM supports the
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP label. SACLs in the COM permissions
are ignored on operating systems prior to Windows Vista.

In Windows Vista, dcomcnfg.exe does not support changing the integrity
level (IL) in COM permissions. It must be set programmatically.

The following code example shows how to create a COM security descriptor
with a label that allows launch/activation requests from all LOW IL
clients. Note that the labels are valid for Launch/Activation and Call
permissions. Thus, it is possible to write a COM server that disallows
launch, activation or calls from clients with a certain IL. For more
information about integrity levels, see the section "Understanding Windows
Vista's Integrity Mechanism" in Understanding and Working in Protected Mode
Internet Explorer.

BOOL GetLaunchActPermissionsWithIL (SECURITY_DESCRIPTOR **ppSD)
{
// Allow World Local Launch/Activation permissions. Label the SD for LOW IL
Execute UP
LPWSTR lpszSDDL = L"O:BAG:BAD:(A;;0xb;;;WD)S:(ML;;NX;;;LW)";
if (ConvertStringSecurityDescriptorToSecurityDescriptorW(lpszSDDL,
SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)&pSD, NULL))
{
*ppSD = pSD;
return TRUE;
}
}

BOOL SetLaunchActPermissions(HKEY hkey, PSECURITY_DESCRIPTOR pSD)
{

BOOL bResult = FALSE;
DWORD dwLen = GetSecurityDescriptorLength(pSD);
LONG lResult;
lResult = RegSetValueExA(hkey,
"LaunchPermission",
0,
REG_BINARY,
(BYTE*)pSD,
dwLen);
if (lResult != ERROR_SUCCESS) goto done;
bResult = TRUE;
done:
return bResult;
};
==================================

Hope this helps. If you have any other questions or concerns, please feel
free to let me know.

Best regards,
Charles Wang
Microsoft Online Community Support
=====================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications

If you are using Outlook Express, please make sure you clear the check box
"Tools/Options/Read: Get 300 headers at a time" to see your reply promptly.


Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
======================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================










.

Relevant Pages

  • RE: dcom permissions and vista?
    ... user BLAH with Local Activation and Local Launch permissions. ... Windows Vista introduces the notion of Mandatory Access Labels in security ... The label is specified in the system access control list ... Microsoft Online Community Support ...
    (microsoft.public.vc.atl)
  • Semi-OT: Vista will NOT boot on Intel Macs
    ... Microsoft revealed today that it will not support EFI ... booting for Windows Vista on its launch. ...
    (microsoft.public.mac.virtualpc)
  • Modified registry keys, cant restore permissions
    ... I was having trouble uninstalling some drivers for my HP ... I got a lot of help from tech support. ... back to its previous permissions. ... runas and launch the windows explorer as administrator. ...
    (microsoft.public.win2000.general)
  • Re: Amazon used lisp & C exclusively?
    ... and lots of software doesn't support it. ... So, if I tar up a directory tree A on machine X that has these sorts of permissions, then untar it on another machine Y, then retar it and bring it back to X and untar it as B, all the permissions on A will match all the permissions on B? ... I'm not trying to say Windows is necessarily better in any or all ways than Linux is. ... It's funny how when people say "Linux can do X and Windows can't", and someone points out "Windows can do X", it's taken as an attack on Linux. ...
    (comp.lang.lisp)
  • Re: Windows update failing, error 80004002 - Vista SP1
    ... To contact Microsoft for support issues, ... Basically windows update is failing to install any updates. ... Title = Security Update for Windows Vista ...
    (microsoft.public.windowsupdate)