C++Builder 5 Developers Guide
The DCOMCnfg Utility Tool
The DCOM Configuration Utility ( DCOMCnfg.exe ) is the tool that you use to modify DCOM settings that are specific to a server or that apply system-wide acting on all registered servers on a given machine.
When you run the DCOMCnfg utility tool, you're presented with a dialog-based screen (see Figure 18.1), which exhibits the following tabs: Applications, Default Properties, Default Security, and Default Protocols.
Figure 18.1. The DCOMCnfg configuration utility tool.
NOTE
All relevant discussion of DCOMCnfg.exe in this chapter is based on the version that comes with Windows NT 4.0 with Service Pack 4 or later and Windows. Windows 9X presents a slightly modified version of this configuration tool. Windows XP uses the Component Services Administrative Tool, invoked from the Control Panel Administrative Tools, which looks and acts differently. See the Windows XP Help in the Component Services tool for more information on the special features of that tool.
Global Security Settings
The Applications tab shows a list of all the servers containing the AppID Registry key that are registered on the machine. You can select any server and click the Properties button to have access to its settings.
The Default Properties tab (see Figure 18.2) is the place where you can completely enable or disable DCOM on the computer and configure system-wide default levels of authentication and impersonation.
Figure 18.2. The Default Properties tab.
On this tab, you also have the option to enable or disable COM Internet Services (CIS). CIS introduces new features to the DCOM model that enable clients and servers to communicate in the presence of proxy servers and firewalls. You can learn more about CIS on the Microsoft MSDN Web site at http://msdn.microsoft.com/library/backgrnd/html/cis.htm.
Authentication can be configured for when a client first connects, when a method call is made, or on every network packet passed between the client and server.
You can turn off authentication by selecting None at the Default Authentication Level combo box. Although risky, this would allow users without valid security credentials to have access to your server. Users coming from the Internet, for example, could benefit from this option.
The Default Impersonation Level combo box controls whether the server can determine the identity of the connected client and, if it can, use this identity to access system resources acting like the client itself. You can choose from the following:
-
Anonymous ” The client identity is unavailable.
-
Identity ” The server can impersonate the client only to obtain its identity.
-
Impersonate ” The server can impersonate the client to access local system resources on the client's behalf .
-
Delegate ” The server can impersonate the client to access local and remote resources on the client's behalf. Requires Windows 2000 running Kerberos as the Security Service Provider (SSP).
In the Default Security tab (see Figure 18.3), you can configure system-wide defaults for access, launch, and configuration permissions.
Figure 18.3. The Default Security tab.
Default Access Permissions relates to who is allowed or denied access to servers registered on the machine. If you want to let any user access your server, you can allow access permission to the built-in account Everyone .
Default Launch Permissions relates to who is authorized to load and run a server process. If you want to let any user execute your server, you can allow launch permission to the built-in Everyone account. Note that this option cannot be set programmatically.
Default Configuration Permissions states the precise type of access (Read, Full Control, or Special Access) you can set under HKEY_CLASSES_ROOT Registry key. This effectively controls user access rights to Registry entries related to DCOM setting.
The Default Protocols tab (see Figure 18.4) is used to arrange the ordering and availability of network protocols used by DCOM. You can configure DCOM for access over firewalls by selecting the desired network protocol and clicking the Properties button. Unless you have a good understanding of network protocols and operating system administration, you should leave these options unchanged.
Figure 18.4. The Default Protocols tab.
Bear in mind that all options in the Default Properties tab and Default Security tab operate system wide. Modifying those options are likely to break some server installed on the system. The best course of action is to only change the settings for an explicit server component.
Per-Server Security Settings
Selecting a server from the Applications tab and clicking the Properties button gives you access to the security options related to that specific server.
The General tab (see Figure 18.5) on the Easy DCOM Type Library 1.0 Properties dialog shows the server's registered name , its type, local path , and authentication level. You can use the Authentication Level combo box to modify the authentication level of the server.
Figure 18.5. The General tab.
From the Location tab (see Figure 18.6), you can select from where the server will be executed. For example, by checking the Run application on the following computer option and entering the name of the computer, you can change the location from where the server will be activated.
Figure 18.6. The Location tab.
The Security tab (see Figure 18.7) enables you to choose between using the system-wide default security settings or using custom security settings. All custom options work the same as the options showed for the Default Security tab (refer to Figure 18.3).
Figure 18.7. The Security tab.
The Identity tab (see Figure 18.8) is where you configure the account under which the server will run. The options are
Figure 18.8. The Identity tab.
-
The interactive user ” Uses the account of the user who happens to be logged on at the server's machine. When there is no one logged on the system, the activation request will fail. This option is useful for debugging purposes because the server might have access to the desktop of the logged user.
-
The launching user ” Uses the account of the user that requested the server object. A new copy of the server process will be created for every distinct client. This is the default option and must be avoided because it is not good for distributed applications.
-
This user ” Uses a specific account that can be a local or domain account. You can elect to use an already defined account or create a new one to suit your needs. Most of the time, this is the preferred option to choose from because you know beforehand the privileges your server will have when it's running.
DCOM will use the default global settings stored in the Registry on behalf of every server that has not been customized through the use of the DCOMCnfg utility tool. If you do customize the settings of a server, those settings will take precedence over the global ones. Nevertheless, programmatic security will always take precedence over declarative security.
You should always remember to configure Launch Permissions setting the users or group of users authorized to launch your server. Forgetting to do so might make your server unavailable for remote-client access.
You are not going to cover the Endpoints tab in this chapter. Please refer to the DCOMCnfg documentation for further information.
|
Top |