Server Reference Guide : Configuring the OpenROAD Server : DCOM Security : Enhanced DCOM Security
 
Share this page          
Enhanced DCOM Security
Beginning with Windows XP Service Pack 2 Microsoft introduced an enhanced DCOM security model. This enhancement was also incorporated into Windows Server 2003 Service Pack 1 and can be expected to be part of all future Windows releases.
There are three types of DCOM security enhancements that impact the OpenROAD ASO and SPO:
Finer-grained DCOM permission types
Narrower definition of the Everyone group
New machine-wide DCOM permission limits
DCOM permissions are now broken down into separate permissions for local and remote access, local and remote launch, and local and remote activation. (Activation refers to the step of establishing an initial connection to a DCOM server. In the context of the OpenROAD Server's usage of DCOM, activation and access permissions are always required as a pair. Prior to Windows XP SP2, DCOM treated activation permission as implied when access permission was granted.)
The Everyone group no longer encompasses unauthenticated users. If you want to grant permissions to unauthenticated users, you must now explicitly use the ANONYMOUS LOGON identifier.
A new set of machine-wide DCOM limits is enforced, and these limits further restrict DCOM permissions granted in the configuration of individual DCOM server applications (such as the SPO). Even though the SPO may be configured to grant remote activation and remote access to Everyone, it will have no effect unless the machine-wide DCOM limits also permit remote activation and remote access to Everyone.
This behavior was retained in the following Microsoft Windows releases:
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7