Developer Forum

Hi,

Spotted in MSDN web page DCOM Security Enhancements in Windows XP Service
Pack 2 and Windows Server 2003 Service Pack 1
[ http://www.yqcomputer.com/ ]:

"To provide backward compatibility, an ACL can exist in the format used
before Windows XP SP2 and Windows Server 2003 SP1, which uses only the
access right COM_RIGHTS_EXECUTE, or it can exist in the new format used in
Windows XP SP2 and Windows Server 2003 SP1, which uses COM_RIGHTS_EXECUTE
together with a combination of COM_RIGHTS_EXECUTE_LOCAL,
COM_RIGHTS_EXECUTE_REMOTE, COM_RIGHTS_ACTIVATE_LOCAL, and
COM_RIGHTS_ACTIVATE_REMOTE. Note that COM_RIGHTS_EXECUTE must always be
present; the absence of this right generates an invalid security descriptor.
Also note that you must not mix the old format and the new format within a
single ACL; either all access control entries (ACEs) must grant only the
COM_RIGHTS_EXECUTE access right, or they all must grant COM_RIGHTS_EXECUTE
together with a combination of COM_RIGHTS_EXECUTE_LOCAL,
COM_RIGHTS_EXECUTE_REMOTE, COM_RIGHTS_ACTIVATE_LOCAL, and
COM_RIGHTS_ACTIVATE_REMOTE. For more information, see DCOM Security
Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service
Pack 1 [ http://www.yqcomputer.com/ ] ."

In the last sentence of the quote the cross reference to itself for more
information sent my head reeling into an infinite recursive loop! Let's hope
that the DCOM security code is more thoroughly debugged than the
documentation! Otherwise however high a level of security is built into
DCOM, the developer without a unified complete and clear definition of the
security rules applied by DCOM to refer to and analyse performance against
will not be able to satisfy himself/herself about the level of security
actually being achieved. In the absence of such a unified definition there
is a high risk the objective of the security framework may be defeated
because the administrator or developer is compelled to uncomprehendingly
follow recipes known to work rather than applying a full understanding of
the security logic in order to arrive at a set of security settings that
are appropriate for his/her application.

Another suggestion: In view of the fact that each new version of Windows
makes changes to the DCOM security model, it would be helpful if every
article in the MSDN web site addressing COM and DCOM were to clearly
indicate the most recent version of Windows to which the article has been
updated. The updating of an article to a new version of Windows should where
possible be carried through to all articles cross-referenced in hyperlinks.
Otherwise we have the "DLL hell" syndrome repeated in the linking of
mutually incompatible article revisions.

Regards,

Enquiring Mind

For what it's worth, I concur. Setting DCOM security is not for the faint of
heart.

Mind you, security in the Windows world is complex to begin with, and one
really needs a background in the basics (ACL's and so forth) to evein begin
to understand DCOM security.

You may be interested in acquiring the following textbook for your
bookshelf:

http://www.yqcomputer.com/

Welcome to the newsgroup, by the way. It's nice to read posts by people
willing to spell entire words, and create full sentences. (Not to nitpick,
but shouldn't it be "Inquiring Mind"? ;-)

Brian

I believe "enquiring" is a British variant. See

http://www.yqcomputer.com/

Further confirmed by the fact that the OP's provider is British Telecom.
--
With best wishes,
Igor Tandetnik

With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead. -- RFC 1925

As a Canadian, we tend to adopt a spelling form somewhere between the
British and the Americans. Often both are acceptable here, but I was
unfamiliar with "enquiring" and "inquiring".

It certainly adds colour to the language. (or is that "color"?)

Thanks for the m *** support ... Is DCOM security not for the faint of heart
due to an intrinsic, unavoidable complexity of the underlying 'world' model,
or due to deficiencies in design, implementation, or documentation?

That probably answers the above question in part. So the difficulties may be
the combined effect of model complexity and inadequate documentation.

Thanks for useful reference. I note that one of the reviews laments the need
for such a book!


Thanks. With copy and paste, autocompletion, etc., I have never understood
the need for acronyms for common English expressions. The convenience of
many readers should take priority over the convenience of one writer, in my
view. Regarding the spelling of "Enquiring", Igor Tandetnik has hit the nail
on the head!

Enquiring Mind