COM Security

COM provides an infrastructure to expose functional objects to applications. Distributed COM (DCOM) enables programmatic calls from an application to COM objects on remote devices. This feature has potential security risks when deployed to run over a public network, such as the Internet. If the security of the feature is compromised, it could expose the device or local network to the public network.

There are two levels of security to consider when you implement a distributed application:

  • Network security helps control who can access a computer. At this security level, Distributed Component Object Model (DCOM) security on Windows CE is equivalent to that of the Windows NT 4.0, SP5, implementation, which uses the Windows NT LAN Manager system security package (NTLM SSP). For more information, see COM Authentication.
  • Local security helps control what a user is permitted to do on a computer after gaining access. This security level is defined by the operating system on the target computer. Windows CE helps regulate access to critical system components as a whole, instead of on a resource-by-resource basis as is done on Windows NT. For more information, see COM Access Control.

Best Practices

Use authentication

DCOM security on Windows CE is equivalent to that of the Windows NT 4.0, SP5, implementation, which uses the NTLM Security Support Provider (NTLM SSP). DCOM uses the NTLM protocol to help establish user credentials if the flag RPC_C_AUTH_WINNT is selected. For more information, see COM Authentication.

Use DCOM in a private network

Limit deployment of DCOM to a secure network that is physically isolated or protected by a firewall from the public network, such as the Internet. By default, the remoting capability of DCOM is disabled to help provide a more secure environment for the device. This enables the DCOM's local server capabilities and still allows the device to be connected to the Internet. To enable the remoting capability, set the Sysgen variable, SYSGEN_DCOM_REMOTEACCESS, to 1.

Use access control

You can setup a list of users and permission levels in the registry. For more information, see COM Access Control.

Default Registry Settings

You should be aware of the registry settings that impact security. Security Note entries in the registry settings documentation explain security implications.

For information, see COM Registry Settings.

See Also

Component Services (COM and DCOM) | Enhancing the Security of a Device

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.