Solved

DCOM Launch Permissions

Posted on 2001-09-12
12
1,346 Views
Last Modified: 2008-02-26
How can I set launch permissions for a DCOM object (using Delphi code) so that a remote user can create an instance of my COM object. This code would achieve the same result as running dcomcnfg.exe, selecting the desired object, clicking "Properties" and changing the launch permissions under the Security tab.

------------------

I've just increased the points to 300 (I tried 800, but Ex-Ex doesn't allow more than 300 per question), and to qualify I would like Delphi code examples please. No links.

What I've found out thus far is as follows:

1. It appears that the API call needed might be CoInitializeSecurity() which is not documented in Delphi's help.

2. I can change default permissions for all DCOM objects using the above function, but that is not what I'm wanting.

3. I would like to give a specific remote user launch permission for a specific DCOM object on my local PC. I can get a remote user's SID using LookupAccountName(), and it's possible that CoInitializeSecurity() may use this.

4. When a COM object's launch permissions are changed (and thus it no longer uses the default launch permissions), that COM object gets a new binary value in the Registry called "LaunchPermission" found under HCR\AppID\{Com Object GUID}. Unfortunately the contents of this binary value are a mystery, and thus I would prefer an API function instead of modifying the Registry directly. (See also Cubud's comment.)

5. The following links may be of use to you:
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/1198/security/security1198.htm&nav=/msj/1198/newnav.htm
http://shrike.depaul.edu/~eklodnic/dcom.htm
http://www.intellution.com/opchub/opcdcom.asp


In summary, the perfect answer would provide code for a function something like this:

function SetRemoteUserLaunchPermissions(MyDCOMGUID: TGUID; RemoteUserName: string; GrantLaunchPermission: Boolean): Boolean;

Thanks,
JB

0
Comment
Question by:JimBob091197
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 3

Expert Comment

by:cubud
ID: 6476617
Search the web for an app called RegMon, it will monitor all changes to the registry, run dcomcfg.exe while regmon is running and you will be able to see what it did to the registry.

Pete
http://www.HowToDoThings.com (Delphi articles)
http://www.Stuckindoors.com/delphi (Open source)
0
 
LVL 5

Author Comment

by:JimBob091197
ID: 6476854
I'd rather use API functions or another mechanism provided by Windows. I've already found several differences regarding where things are stored in the registry with Win NT, Win 2000 & Win 95/98/ME, so I don't really want to modify the Registry entries directly. Maybe as a last resort...

Thanks,
JB
0
 

Expert Comment

by:lsae
ID: 6477730
listening...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:malsoft
ID: 6478966
JimBob,

As far as point 1 is concerned, have you looked at the MSDN Online library? I found the following about the CoInitializeSecurity() function:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/hh/com/cmf_a2c_8ayh.asp

Hope that explains some of the functionality you'll need...
0
 
LVL 14

Accepted Solution

by:
AvonWyss earned 300 total points
ID: 6479029
JimBob, Microsoft explains the registry setting here:

http://msdn.microsoft.com/library/en-us/com/hh/com/security_3jw9.asp
and
http://msdn.microsoft.com/library/en-us/com/hh/com/reg_33y1.asp

The binary data inside these two keys are ACLs. This may help you with the ACLs:

http://msdn.microsoft.com/library/en-us/security/hh/winbase/acctrlow_7ldf.asp

You may also want to have a look at the ACCCTRL and ACLAPI header translations included in Delphi. Unfortunaltely, the ACLAPI.DLL needed for the latter is not part of the standard windows installation.
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6480388
Good comment, AvonWyss...  :-)

I remember having seen the very same question somewhere else somewhen, don't have the link right now. The answer was also to edit the registry directly, if I remember right.

JimBob, if you need help in creating the ACL, you might want to look at my package "madSecurity" (free for non-commercial usage), with which you can e.g. do this:

function WriteAclInString(accountName: string; accessMask: dword) : string;
begin
  with NewAcl do begin
    NewItem(Account(accountName), dwordAccessMask);
    SetLength(result, Size);
    Move(PAcl^, pchar(result)^, Size);
  end;
end;
   
See also:
http://help.madshi.net/Data/ACLs.htm

Of course you can do everything by yourself, too. But creating ACLs is no fun...

Regards, Madshi.
0
 
LVL 5

Author Comment

by:JimBob091197
ID: 6486785
Thanks everybody for your responses.

Madshi, I don't particularly want to pay for a library, but I will bear your solution in mind if nobody else adds further comments. Unfortunately I am busy with other things, so I was hoping not to spend too much time with this problem.

Thanks,
JB
0
 
LVL 20

Expert Comment

by:Madshi
ID: 6486788
>> Madshi, I don't particularly want to pay for a library, but I will bear your solution in mind if nobody else adds further comments

In that case please test my stuff before buying it, not the other way round. I only want satisfied costumers...  :-)
0
 
LVL 5

Author Comment

by:JimBob091197
ID: 6486806
No problem.  ;-)

But what I also said was that I don't have the time right now to go into it, but if nobody can provide my "ideal" answer (see original question) then I will indeed have a look at your components in the next few days.

Cheers,
JB
0
 
LVL 1

Expert Comment

by:pede
ID: 6490611
Listening :o)
0
 
LVL 17

Expert Comment

by:geobul
ID: 9307842
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

accept AvonWyss's comment as answer

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

geobul
EE Cleanup Volunteer
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question