Data Security in MTS and DCOM

Are data encrypted when transfered by RPCs in MTS or DCOM?
Who is Participating?
VBGuruConnect With a Mentor Commented:
Remote Procedure Call (RPC) authentication refers to the level of data integrity guaranteed for communication between two computers across the network.

For remote ActiveX components running on any Windows operating system, RPC provides seven levels of authentication, as shown in the following table.
Value      Name      Description

0      Default      Use network default.
1      None      No authentication.
2      Connect      Connection to the server is authenticated.
3      Call      Authenticates only at the beginning of each remote procedure call, when the server receives the request. Does not apply to connection-based protocol sequences (those that start with the prefix "ncacn").
4      Packet      Verifies that all data received is from the expected client.
5      Packet Integrity      Verifies that none of the data transferred between client and server has been modified.
6      Packet Privacy      Verifies all previous levels, and encrypts the argument values of each remote procedure call.
The levels are listed in order of increasing authentication. Each new level adds to the authentication provided by the previous level. If the RPC run-time library does not support the specified level, it automatically upgrades to the next higher supported level.
Further information, including the RPC constant names used for C/C++ programs, can be found by searching for authentication-level constants in the online Help for RPC.
Using Authentication
The need for RPC authentication should be evaluated carefully, because as the level of RPC authentication increases, performance declines. You can specify an authentication level for each class in your ActiveX component, so that costly levels like encryption need not be applied to the entire server.
For example, a data service implemented as a remote ActiveX component might have a Logon class used to transmit user and password information, and this class might require Packet Privacy authentication. Other classes exposed by the server might use a much lower level of authentication.
The authentication level is specified in the Windows Registry of the client computer, under the CLSID of the remote object. The subkey is named ‘AuthenticationLevel.’ If this subkey is not present, None is used. If the value is not one of those listed in the preceding table, an RPC run-time error occurs.
You can choose a default authentication level for a client that will use your remote server, and override that default for specific classes that require more strict authentication.
garyz31Author Commented:
Does level 6 encrypt the return values as well?
yes, It is basically how well the rpc can provide the integrity of your data. More checks more reliable is your data. Its basically compromise between the speed of communication and data integrity.
All Courses

From novice to tech pro — start learning today.