INFO: Using DCOM Config (DCOMCNFG.EXE) on Windows NT

This article was previously published under Q176799
This article has been archived. It is offered "as is" and will no longer be updated.
SUMMARY
DCOMCNFG.EXE (DCOM Config) is a utility you can use to secure DCOM Objectsyou have created. This article describes the DCOM Config interfaces,options, and settings.

Because security is much more limited on Windows 95, Windows 98, and Windows Me, theinterface and options may differ on Windows 95, Windows 98, and Windows Me systems. Thisarticle is written for those running DCOM Config on Windows NT or Windows 2000 systems.
MORE INFORMATION
The main interface of DCOM Config is divided into the following three tabs:

  • Applications.
  • Default Properties.
  • Default Security.

Applications Tab

The Applications tab shows each of the items registered under the followingregistry key:
HKEY_CLASSES_ROOT\AppId\
Beneath this key are all of the objects that can be launched on a remotemachine. DCOM Config displays just the ProgIDs (friendly names) of eachobject, such as "Microsoft Word Document" or "Microsoft Access Database."Some objects may register without registering a ProgID; in these cases, theGUID of the object will be displayed, such as "{4E6B942A-01B0-11D1-A9CB-00AA00B7B36F}."

For each item listed in the Applications tab, properties for eachapplication can be viewed by selecting an item and choosing the"Properties" button or by double-clicking an application name.

Default Properties Tab

Each of the values displayed under the Default Properties tab may be foundunder the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
The first item in the Default Properties tab is a check box:
"Enable Distributed COM on this computer"
This is a global setting for the entire machine. When this option ischecked, the machine allows the creation of DCOM objects. If it is notchecked, objects cannot be created via DCOM.

NOTE: You must reboot the system in order for a change in this setting totake effect.

The second part of the Default Properties tab is the Default DistributedCOM Communication Properties, which has of two levels:

  1. Default Authentication Level.
  2. Default Impersonation Level.
These two options can only be modified if DCOM is enabled on this system.

Default Authentication Level (Packet Level)

Authentication Levels are as follows:
   Name                         Description   ------------------------------------------------------------------------   None                         No authentication.   Connect                      Authentication occurs when a connection                                is made to the server. Connectionless                                protocols do not use this.   Call                         The authentication occurs when a RPC call                                is accepted by the server. Connectionless                                protocols do not use this.   Packet                       Authenticates the data on a per-packet                                basis. All data is authenticated.   Packet Integrity             This authenticates that the data has come                                from the client, and checks that the                                data has not been modified.   Packet Privacy               In addition to the checks made by the other                                authentication techniques, this encrypts                                the packet.   Default                      May vary depending upon operating system.				
NOTE: "Connect" and "Call" are not used for connectionless protocols. Windows NT and Windows 2000 use a connectionless protocol, UDP, by default. However, Windows 95 uses TCP, which is connection-based. Windows 95 machines can only accept calls on the "None" or "Connect" levels.

Default Impersonation Level

If no security is set at the object level, the server uses the securitysetting specified here as the default. The possible values are:
   Name                         Description   ----------------------------------------------------------------------   Anonymous                    The client is anonymous. This setting is                                not currently supported by DCOM.   Identify                     The server can impersonate the client to                                check permissions in the ACL (Access                                Control List) but cannot access system                                objects.   Impersonate                  The server can impersonate the client and                                access system objects on the client's                                behalf.   Delegate                     In addition to the Impersonate level, this                                level can impersonate the client on calls                                to other servers. This is not supported in                                the current release of DCOM.				
The last item on the Default Properties tab is the "Provide additionalsecurity for reference tracking" check box, which tells the server to trackconnected client applications by keeping an additional reference count.Checking this box uses more memory and may cause COM to slow down, but itensures that a client application cannot kill a server process byartificially forcing a reference count to zero.

Default Security Tab

There are three options under the Default Security tab. Each of the valuesstored here can be found in the Windows registry at the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
The three options are:

  1. Default Access Permission: This value determines the users and groups that can access an object when no other access permissions are provided. For information on how to give individual access permissions to specific DCOM objects, see the "Application Properties" section later in this document. By default, access is provided to the "System" and "Interactive" groups.
  2. Default Launch Permission: This value determines the users and groups that can launch an object when no other access permissions are provided. For more information on how to give individual launch permissions to specific DCOM objects, see the section "Application Properties" later in this document.
  3. Default Configuration Permission: This value determines the users and groups that may read or modify configuration information for DCOM applications. This also includes which users and groups will have permission to install new DCOM servers.

System Groups

There are several group accounts you will find when you configure users andgroups. The following list is a summary of which user belongs to eachgroup:
   Group                  Description   ------------------------------------------------------------------------   Interactive            Includes all users who log on to a Windows NT or                          Windows 2000 system locally (at the console). It                           does not include users who connect to Windows NT                          or Windows 2000 resources across a network or are                          started as a server.   Network                Includes all users who connect to Windows NT or                           Windows 2000 resources across a network. It does                          not include those who connect through an                          interactive logon.   Creator/Owner          The Creator/Owner group is created for each                          sharable resource in the Windows NT system. Its                          membership is the set of users who either create                          resource s(such as a file) and those who take                          ownership of them.   Everyone               All users accessing the system, whether locally,                          remotely, or across the network.   System                 The local operating system.				
The list above includes the group accounts that are intrinsic to Windows NT and Windows 2000 systems. Your particular network may include more groups from which you may choose. In order to determine the membership of each custom group account, you must contact your network administrator.

Application Properties

You can specify custom settings for individual DCOM applications bychoosing the Properties button on the "Applications" tab in DCOM Config.The following section describes each tab (General, Location, Security,Identity) and setting found within Application Properties.

General

The General tab provides general information about the application,displaying the Application name, type (local server or remote server), andlocation (local path or remote computer). These settings are not modifiablethrough the DCOM Config interface.

The General Table retrieves all of its information from subkeys of thefollowing registry key:
HKEY_CLASSES_ROOT\CLSID\{...CLSID...}
where {...CLSID...} is the unique CLSID for the Object Server currentlybeing viewed.

Location

This tab is used to determine where DCOM will execute the application.There are three possible choices:

  1. Run application on the computer where the data is located: if selected, DCOM will execute the application where the data is located. This is useful only if the application provides a data file for the server application.
  2. Run application on this computer: indicates that the DCOM application should run on the local machine.
  3. Run application on the following computer: allows you to specify a computer on which to execute. (This feature is currently unavailable on Windows NT 4.0 systems, Windows NT 4.0 does not support full security delegation.)
If more than one of the above is selected, DCOM will use the firstapplicable option. Client applications may also override this setting.

Security

On the Security tab, you can customize settings for the followingindividual application permissions:

  1. Access Permissions.
  2. Launch Permissions.
  3. Configuration Permissions.
If you do not customize these settings, the default security settings areused. For more information about the Security tab, see the section earlierin this article on "Default Security."

Identity

This tab is used to determine which account you want to use to run theapplication. There are four choices by which the system determines whichaccount your DCOM object will run under:

  1. The Interactive User: the application will run using the security context of the user currently logged onto the computer. If this option is selected and the user is not logged on, then the application will not start.
  2. The Launching User: the application will run using the security context of the user who started the application. The launching user and the interactive user may be the same.
  3. This User: you may specify the user whose security context will be used to run the application.
  4. The System Account: this is available only for Windows NT and Windows 2000 services that use DCOM.
REFERENCES
Properties

Article ID: 176799 - Last Review: 12/05/2015 08:10:49 - Revision: 3.0

Microsoft Visual Basic 5.0 Control Creation Edition, Microsoft Visual Basic 5.0 Learning Edition, Microsoft Visual Basic 6.0 Learning Edition, Microsoft Visual Basic 5.0 Professional Edition, Microsoft Visual Basic 6.0 Professional Edition, Microsoft Visual Basic 5.0 Enterprise Edition, Microsoft Visual Basic 6.0 Enterprise Edition

  • kbnosurvey kbarchive kbinfo kbdcom KB176799
Feedback