What do the different DCOM / COM security settings mean?

Justin picture Justin · Oct 19, 2012 · Viewed 17.7k times · Source

Our application uses COM and DCOM extensively, and so as part of that we need to ensure that the COM security permissions are correctly set up. I know that I can access these permissions under the Component Services MMC snap in and that I can set the defaults / limits under the property pages for the Computer

Screenshot of the My Computer property pages

And that under the DCOM Config node I can drill down and set securty permissions for individual applications

Screenshot of the Logger application property pages

I also understand the relationship between the "Defaults" (what DCOM applications will use unless permissions are expicily set on a per-application basis), "Limits" (what permissions will be enforced even if per application settings exceed these settings), however I don't understand (and can't find any documentation) on the difference between the different settings that I can set

  • Whats the difference between "Access", "Launch", "Activation" and "Configuration" permissions?
  • Do these settings affect COM applications, or only DCOM applications?
  • If using remote DCOM do I need to set permissions on both the server and the client, or just the client?
  • Is there any documentation which explains the above?

Answer

Roman R. picture Roman R. · Oct 19, 2012

The settings on the security tab is the per-AppID security configuration on registry, and you will find more information on MSDN on this in AppID Key:

AccessPermission Describes the Access Control List (ACL) of the principals that can access instances of this class. This ACL is used only by applications that do not call CoInitializeSecurity.

LaunchPermission Describes the Access Control List (ACL) of the principals that can start new servers for this class.

When a COM client attempts to access COM server, COM subsystem checks client side credentials against these access lists and decides whether to allow access to server, and if server is not yet started, whether to allow its start. Hence, the two lists - for regular access and for new server launch (should it be necessary).

Note that these are per-application settings. Specific classes should have CLSID to APPID mappings on the registry to be properly associated.