Securing COM, COM+, and DCOM Applications Using Component ServicesComponent Object Model (COM), COM+, and Distributed COM (DCOM) applications are managed from the Component Services console, as displayed in Figure 4-31. You can manage security for these applications inasmuch as the application provides interfaces for doing so. COM+ applications, for example, may define roles that have specific privileges and permissions within the application. You can manage roles using the console if roles have been defined in the application. Figure 4-31. The Component Services console is used to manage security for COM+ and COM applications.[View full size image] ![]() WARNING: Don't Adjust Existing COM+ Application PropertiesIt is not recommended that you adjust application properties because applications may contain code that requires the default settings to be in place. Modifying settings may cause an application to fail, become unstable, or behave less securely. Unless you thoroughly understand the application and know why modifying settings can improve security, you should leave settings as they are. The best time to question the default settings used on an application is during its development. Configuring Security for COM and COM+ Application InteractionA number of properties can be configured:Authentication level for callsAuthorizationSecurity LevelImpersonationIdentificationLaunch PermissionsAccess Permissions Authentication Level for CallsAn identity is a characteristic such as a user ID or computer name. Authentication is the process by which an identity proves it is who it claims to be. Calls to COM+ components may be restricted to users with a specific role, in which case authentication is used to determine if the user is who they say they are, and then their membership is checked.NOTE: ResourceYou can learn more about managing COM+ applications from the platform Software Development KIT (SDK). You can locate a copy online at the MSDN site, http://msdn.microsoft.com.Authentication level is specified in the Component Services tool, or it can be managed programmatically using Administrative SDK functions. COM+ server and client applications can require authentication. Authentication can be set to a range of degrees, from none to encryption of every packet and all method call parameters. The following list is ordered from no authentication to the highest level. Authentication is negotiated between the client and the server, and the more secure setting of the two is used. You can control authentication from the server side by setting authentication to the highest level you desire. Machine-wide settings (the default is connect) are used if the authentication level is not set for an application. Authentication levels are as follows:NoneNo authentication occurs.Connect Credentials are checked only when a connection is made.Call Credentials are checked at the beginning of each call.Packet Credentials are checked, and verification that all called data is received takes place.Packet integrity Credentials are checked, and verification that call data has not changed in transit takes place.Packet privacy Credentials are checked, and verification that all information in the packet, including sender's identity and signature, are encrypted To set machine-wide authentication level, follow these steps:
AuthorizationIf role-based security is available in the COM+ application, enable authorization checking. Users who access the application are checked for role membership before being authorized to do anything in the application. To enable authorization checking, follow these these steps:
Security LevelThe security level sets the level at which access level checks are performed in role-enabled COM+ applications. Access checks can be set at the component level or at the process level. Setting access checks at the component level enables roles. Roles can be assigned to components, interfaces, and methods within the COM+ application. Process-level access checks apply only to application boundaries.To set a security level, follow these steps:
Impersonation and DelegationWhen a server makes a call on behalf of a client and uses the client's credentials instead of its own, it is performing impersonation. Resource access is thus expanded, or restricted, depending on what the user can do. For example, you may need the server application to access data in a database, in which case you would want it to be able to get any data that the client has permission to access.Impersonation levels are as follows:Anonymous Client is anonymous as far as the server is concerned. The server can impersonate the client, but no information about the client is in the impersonation token.Identify The default; the server can obtain the client's identity and can impersonate. Used for determining access-checking levels.Impersonate Default for COM+ server apps. The server can impersonate the client but is restricted. The server can access resources on the same computer as the client. If the server is on the same computer as the client, it can access network resources on the client's behalf. If it is not, it can only access resources on the computer it resides on.Delegate The server can impersonate the client, whether or not it is on the same computer as the client. Client credentials can be passed to any number of machines. To set the impersonation level, follow these steps:
Delegation is a special type of impersonation used over the network. The server and client applications do not reside on the same computer, and yet the server uses the client's identity to access resources on a third remote machine. Delegation is controlled with the Active Directory Service. To set delegation, see Chapter 8, "Trust." Two requirements must be met:The identity the server is running under (the account it uses to run its service) must be marked "Trusted for delegation."The client application must be running under an identity that is not marked as "Account is sensitive and cannot be delegated." IdentificationCOM and COM+ applications may run as a service. When they do, they run within the security context of an account or the Local System. If they are not implemented as a service, they may impersonate or act on the authority of the user account used to run them.Application identity is set during application installation and is only relevant for server applications. Identity is the user account that the application runs under and uses when it calls other applications and resources. Library identity is not set. Library COM+ applications use the identity of the host. Using a specific account, either Local service or an assigned user account is more secure than allowing the identity to be interactive. Interactive means that the COM+ application runs with the authority of the logged on user. If, for example, the local administrator is logged on, COM+ applications could be running with his authority and could be used to make calls and access resources, even for clients. If no one is logged on, then the application cannot be run. Identity can be set to this:InteractiveThe user who is logged onLocal service user An account with minimal permissions to run a locally accessible serviceA specific valid user account WARNING: Password Storage for COM+ IdentityCOM+ stores passwords in LSA secrets, and thus an administrator can obtain them. Be sure to use an account created just for the COM+ application and deny the account the right to log on locally. Launch PermissionsLaunch permissions specify a list of users who can be granted or denied permission to run or launch component model applications. When set in the properties of the computer, permission to launch is conferred for all applications that do not set their own launch permissions list. The default list is INTERACTIVE (anyone logged on locally), SYSTEM, and Administrators.To set launch permissions:
Launch Permissions can be set for individual applications. Examine a few applications, and you will learn that most simply use the default, but there are exceptions. If you open the properties for Automatic Updates, as shown in Figure 4-35, you can see that the launch permissions are customized. They are restricted to the SYSTEM and Administrators, while the default permissions are INTERACTIVE, SYSTEM, and Administrators. Figure 4-35. Automatic Updates is assigned custom launch permissions.[View full size image] ![]() Limiting Application Privilege with Library ApplicationsThere are two types of COM+ applications: applications and libraries. Libraries are hosted by another process, which means they run under the host security rather than their own user's identity. Their privilege is only that assigned to the host. Library applications may participate in authentication by default, but they can be configured not to use authentication by disabling it. (This is not a good idea.) A COM+ application can be deliberately limited by developing it as a library application. It can only access the resources that its client, the host process, can access. When calls are made outside of the application, or access to resources such as files depends on a security descriptor, they appear to be the client. If you are developing an application that performs sensitive work, and you want to limit its use to only those with permissions to do that work, then make it a library application. Assigning Users to RolesRoles are user categories defined within an application by the developer. Like Authorization Manager-enabled applications, COM+ applications may define roles that dictate what a user can do when running the application. The roles enforce an access control policy specific to the application and are built into the application by the developers. Administrators assign Windows users and groups to application roles. An example of COM+ application roles can be viewed in the Component Services console. Open the console and expand My Computer, COM+ Applications, System Application, and then Roles. Expand each role and the Users container underneath it. The results are illustrated in Figure 4-36. Figure 4-36. The System Application has roles defined, and in many cases, Windows groups are assigned.[View full size image] ![]()
Setting Software Restriction Policies for a COM+ ApplicationA Software Restriction Policy can be set directly in COM+ Application properties on a Windows Server 2003 server. By default, the system-level Software Restriction Policy security level is set the same for all server applications because they all run in the same file, dllhost.exe. If you need to change the policy for specific COM+ applications, you do so by setting Software Restriction Policies directly in the properties of a COM+ application. Software Restriction Policies set here take precedence over system-wide policy settings.To set COM+ application Software Restriction Policy, do this:
|