Data Security in MTS and DCOM

Are data encrypted when transfered by RPCs in MTS or DCOM?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Remote Procedure Call (RPC) authentication refers to the level of data integrity guaranteed for communication between two computers across the network.

For remote ActiveX components running on any Windows operating system, RPC provides seven levels of authentication, as shown in the following table.
Value      Name      Description

0      Default      Use network default.
1      None      No authentication.
2      Connect      Connection to the server is authenticated.
3      Call      Authenticates only at the beginning of each remote procedure call, when the server receives the request. Does not apply to connection-based protocol sequences (those that start with the prefix "ncacn").
4      Packet      Verifies that all data received is from the expected client.
5      Packet Integrity      Verifies that none of the data transferred between client and server has been modified.
6      Packet Privacy      Verifies all previous levels, and encrypts the argument values of each remote procedure call.
The levels are listed in order of increasing authentication. Each new level adds to the authentication provided by the previous level. If the RPC run-time library does not support the specified level, it automatically upgrades to the next higher supported level.
Further information, including the RPC constant names used for C/C++ programs, can be found by searching for authentication-level constants in the online Help for RPC.
Using Authentication
The need for RPC authentication should be evaluated carefully, because as the level of RPC authentication increases, performance declines. You can specify an authentication level for each class in your ActiveX component, so that costly levels like encryption need not be applied to the entire server.
For example, a data service implemented as a remote ActiveX component might have a Logon class used to transmit user and password information, and this class might require Packet Privacy authentication. Other classes exposed by the server might use a much lower level of authentication.
The authentication level is specified in the Windows Registry of the client computer, under the CLSID of the remote object. The subkey is named ‘AuthenticationLevel.’ If this subkey is not present, None is used. If the value is not one of those listed in the preceding table, an RPC run-time error occurs.
You can choose a default authentication level for a client that will use your remote server, and override that default for specific classes that require more strict authentication.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garyz31Author Commented:
Does level 6 encrypt the return values as well?
yes, It is basically how well the rpc can provide the integrity of your data. More checks more reliable is your data. Its basically compromise between the speed of communication and data integrity.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic Classic

From novice to tech pro — start learning today.