RE: dcom permissions and vista?

Charles,
I think you identified the issue exactly. The error no longer appears in
the event log. I'm hitting another issue which I believe is unrelated, so I
think I'm good for now. Thanks for pointing me in the right direction!

-dave

"Charles Wang[MSFT]" wrote:

Hi,
I understand that you encountered the DCOM local activation permission
issue on Vista; however your application worked fine on Windows XP.
If I have misunderstood, please let me know.

I would like to know if you run dcomcnfg.exe to explicitly to configure the
user BLAH with Local Activation and Local Launch permissions.

Windows Vista indeed do some changes in handling DCOM and you may need to
program to implement the permission. I recommend that you refer to the
section "COM Permissions and Mandatory Access Labels" of this article:
The COM Elevation Moniker
http://msdn2.microsoft.com/en-us/library/ms679687.aspx

For your convenience, I extract it here:
===================================
Windows Vista introduces the notion of Mandatory Access Labels in security
descriptors. The label dictates whether clients can get execute access to a
COM object. The label is specified in the system access control list (SACL)
portion of the security descriptor. In Windows Vista, COM supports the
SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP label. SACLs in the COM permissions
are ignored on operating systems prior to Windows Vista.

In Windows Vista, dcomcnfg.exe does not support changing the integrity
level (IL) in COM permissions. It must be set programmatically.

The following code example shows how to create a COM security descriptor
with a label that allows launch/activation requests from all LOW IL
clients. Note that the labels are valid for Launch/Activation and Call
permissions. Thus, it is possible to write a COM server that disallows
launch, activation or calls from clients with a certain IL. For more
information about integrity levels, see the section "Understanding Windows
Vista's Integrity Mechanism" in Understanding and Working in Protected Mode
Internet Explorer.

BOOL GetLaunchActPermissionsWithIL (SECURITY_DESCRIPTOR **ppSD)
{
// Allow World Local Launch/Activation permissions. Label the SD for LOW IL
Execute UP
LPWSTR lpszSDDL = L"O:BAG:BAD:(A;;0xb;;;WD)S:(ML;;NX;;;LW)";
if (ConvertStringSecurityDescriptorToSecurityDescriptorW(lpszSDDL,
SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)&pSD, NULL))
{
*ppSD = pSD;
return TRUE;
}
}

BOOL SetLaunchActPermissions(HKEY hkey, PSECURITY_DESCRIPTOR pSD)
{

BOOL bResult = FALSE;
DWORD dwLen = GetSecurityDescriptorLength(pSD);
LONG lResult;
lResult = RegSetValueExA(hkey,
"LaunchPermission",
0,
REG_BINARY,
(BYTE*)pSD,
dwLen);
if (lResult != ERROR_SUCCESS) goto done;
bResult = TRUE;
done:
return bResult;
};
==================================

Hope this helps. If you have any other questions or concerns, please feel
free to let me know.

Best regards,
Charles Wang
Microsoft Online Community Support
=====================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications

If you are using Outlook Express, please make sure you clear the check box
"Tools/Options/Read: Get 300 headers at a time" to see your reply promptly.


Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
======================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================











.

Relevant Pages

  • RE: dcom permissions and vista?
    ... user BLAH with Local Activation and Local Launch permissions. ... Windows Vista indeed do some changes in handling DCOM and you may need to ... Windows Vista introduces the notion of Mandatory Access Labels in security ... Microsoft Online Community Support ...
    (microsoft.public.vc.atl)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: MAC subsystem and ZFS?
    ... using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS doesn't support MAC labels, even for a whole filesystem, which would be fine for me, I don't need multilabel support. ... I can read the MAC label from a ZFS dataset, ... This is the expected behavior for a single-label file system -- that is to say, a file system that doesn't support storing multiple labels. ...
    (FreeBSD-Security)
  • Re: After Vista SP1 IE7 and sidebar problems
    ... I submitted a support request and spent about 2 hours watching the support ... ran the Vista SP1 update? ... Windows Vista Service Pack 1 - Things to Know Before You Download: ... Windows Vista Help: Learn how to install Windows Vista Service Pack 1: ...
    (microsoft.public.windowsupdate)
  • Re: installation of KB905866 failed, error 800B0100
    ... If it is safe to install, ... and Support through email, it says "An unknown application error ... 'Description of the System Update Readiness Tool for Windows Vista' ... 'How to obtain the latest Windows Vista service pack' ...
    (microsoft.public.windowsupdate)