Solved

DCOM Launch Permissions

Posted on 2001-09-12
12
1,337 Views
Last Modified: 2008-02-26
How can I set launch permissions for a DCOM object (using Delphi code) so that a remote user can create an instance of my COM object. This code would achieve the same result as running dcomcnfg.exe, selecting the desired object, clicking "Properties" and changing the launch permissions under the Security tab.

------------------

I've just increased the points to 300 (I tried 800, but Ex-Ex doesn't allow more than 300 per question), and to qualify I would like Delphi code examples please. No links.

What I've found out thus far is as follows:

1. It appears that the API call needed might be CoInitializeSecurity() which is not documented in Delphi's help.

2. I can change default permissions for all DCOM objects using the above function, but that is not what I'm wanting.

3. I would like to give a specific remote user launch permission for a specific DCOM object on my local PC. I can get a remote user's SID using LookupAccountName(), and it's possible that CoInitializeSecurity() may use this.

4. When a COM object's launch permissions are changed (and thus it no longer uses the default launch permissions), that COM object gets a new binary value in the Registry called "LaunchPermission" found under HCR\AppID\{Com Object GUID}. Unfortunately the contents of this binary value are a mystery, and thus I would prefer an API function instead of modifying the Registry directly. (See also Cubud's comment.)

5. The following links may be of use to you:
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/1198/security/security1198.htm&nav=/msj/1198/newnav.htm
http://shrike.depaul.edu/~eklodnic/dcom.htm
http://www.intellution.com/opchub/opcdcom.asp


In summary, the perfect answer would provide code for a function something like this:

function SetRemoteUserLaunchPermissions(MyDCOMGUID: TGUID; RemoteUserName: string; GrantLaunchPermission: Boolean): Boolean;

Thanks,
JB

0
Comment
Question by:JimBob091197
12 Comments
 
LVL 3

Expert Comment

by:cubud
ID: 6476617
Search the web for an app called RegMon, it will monitor all changes to the registry, run dcomcfg.exe while regmon is running and you will be able to see what it did to the registry.

Pete
http://www.HowToDoThings.com (Delphi articles)
http://www.Stuckindoors.com/delphi (Open source)
0
 
LVL 5

Author Comment

by:JimBob091197
ID: 6476854
I'd rather use API functions or another mechanism provided by Windows. I've already found several differences regarding where things are stored in the registry with Win NT, Win 2000 & Win 95/98/ME, so I don't really want to modify the Registry entries directly. Maybe as a last resort...

Thanks,
JB
0
 

Expert Comment

by:lsae
ID: 6477730
listening...
0
 
LVL 1

Expert Comment

by:malsoft
ID: 6478966
JimBob,

As far as point 1 is concerned, have you looked at the MSDN Online library? I found the following about the CoInitializeSecurity() function:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/hh/com/cmf_a2c_8ayh.asp

Hope that explains some of the functionality you'll need...
0
 
LVL 14

Accepted Solution

by:
AvonWyss earned 300 total points
ID: 6479029
JimBob, Microsoft explains the registry setting here:

http://msdn.microsoft.com/library/en-us/com/hh/com/security_3jw9.asp
and
http://msdn.microsoft.com/library/en-us/com/hh/com/reg_33y1.asp

The binary data inside these two keys are ACLs. This may help you with the ACLs:

http://msdn.microsoft.com/library/en-us/security/hh/winbase/acctrlow_7ldf.asp

You may also want to have a look at the ACCCTRL and ACLAPI header translations included in Delphi. Unfortunaltely, the ACLAPI.DLL needed for the latter is not part of the standard windows installation.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 20

Expert Comment

by:Madshi
ID: 6480388
Good comment, AvonWyss...  :-)

I remember having seen the very same question somewhere else somewhen, don't have the link right now. The answer was also to edit the registry directly, if I remember right.

JimBob, if you need help in creating the ACL, you might want to look at my package "madSecurity" (free for non-commercial usage), with which you can e.g. do this:

function WriteAclInString(accountName: string; accessMask: dword) : string;
begin
  with NewAcl do begin
    NewItem(Account(accountName), dwordAccessMask);
    SetLength(result, Size);
    Move(PAcl^, pchar(result)^, Size);
  end;
end;
   
See also:
http://help.madshi.net/Data/ACLs.htm

Of course you can do everything by yourself, too. But creating ACLs is no fun...

Regards, Madshi.
0
 
LVL 5

Author Comment

by:JimBob091197
ID: 6486785
Thanks everybody for your responses.

Madshi, I don't particularly want to pay for a library, but I will bear your solution in mind if nobody else adds further comments. Unfortunately I am busy with other things, so I was hoping not to spend too much time with this problem.

Thanks,
JB
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6486788
>> Madshi, I don't particularly want to pay for a library, but I will bear your solution in mind if nobody else adds further comments

In that case please test my stuff before buying it, not the other way round. I only want satisfied costumers...  :-)
0
 
LVL 5

Author Comment

by:JimBob091197
ID: 6486806
No problem.  ;-)

But what I also said was that I don't have the time right now to go into it, but if nobody can provide my "ideal" answer (see original question) then I will indeed have a look at your components in the next few days.

Cheers,
JB
0
 
LVL 1

Expert Comment

by:pede
ID: 6490611
Listening :o)
0
 
LVL 17

Expert Comment

by:geobul
ID: 9307842
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

accept AvonWyss's comment as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

geobul
EE Cleanup Volunteer
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now