MSDN web page http://www.yqcomputer.com/
in relation to "DCOM Security Enhancements in Windows XP Service Pack 2 and
Windows Server 2003 Service Pack 1 " that:
"The simplest way to think about these access controls is as an additional
AccessCheck call that is done against a computer-wide access control list
(ACL) on each call, activation, or launch of any COM server on the computer.
If the AccessCheck fails, the call, activation, or launch request is denied.
This is in addition to any AccessCheck that is run against the
If I understand this correctly, when a request for the launch of a COM
server or for access to one of its methods is received by Windows XP SP2 ,
DCOM applies the *most restrictive* security settings of those assigned to
the machine, and those assigned to the specific COM server. First the
machine-wide security is checked, and only if that is passed, is the server
security checked. Is that a correct interpretation?
The implication of this is that if I require to disable security for just a
single DCOM server installed on the computer, I must effectively disable it
for all servers on the same machine. This is because the security settings
applied to the specific server will not work unless settings that are less
than or equally restrictive are applied to the whole machine. Thus if one
wishes to instal a single server that does not require, for sake of example,
user authentication, one is forced to make all other servers bypass user
authentication. In many cases this reduces, rather than enhances, security.
Or is there a way to make DCOM apply only the specific server security
settings if they are assigned, and neglect the machine-wide settings?
Another aspect that is not clear to me is whether the security settings on
the server machine uniquely determine how DCOM on the the server handles
security checks, or whether there is interaction between the the settings on
the server machine and the settings on the machine hosting the client. If I
have disabled user authentication on the server, must I disable it on the
client computer as well, thereby opening up a large security hole for all
servers installed on my client computer?
The motivation for these queries is that I wish to install a DCOM server and
one or more client applications in a *Workgroup* network. My understanding
is that caller authentication is problematic in a workgroup network due to
the lack of a central user directory. Or can one computer in the workgroup
netwrok be configured to provide user registration and authentication
services for the whole network?
Any clarification would be appreciated.