OLE Key

The named values under the HKEY_LOCAL_MACHINE\Software\Microsoft\OLE key control Distributed COM's default launch and access permission settings and call-level security capabilities for applications that do not call the CoInitializeSecurity function. The named values for OLE are stored under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\named_value = value

For more information about access control, see COM Access Control.

The following table shows the named values for the HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\named_value = value key.

Value : type Description
EnableDCOM : REG_SZ Controls the global activation and call policies of the machine. If this value is set to N, no remote clients may launch servers or connect to objects on this machine. Local launching of class code and connecting to objects is allowed on a per-class basis according to the value and access permissions of the class's AppID\{...}\LaunchPermission key and the global DefaultLaunchPermission key.

If this value is set to Y, launching of servers and connecting to objects by remote clients is allowed on a per-class basis according to the value and access permissions of the class's LaunchPermission named-value and the global DefaultLaunchPermission named-value.

Security Note   Enabling this feature enables remote access to COM objects on your device.
DefaultLaunchPermission = ACL : REG_BINARY Defines the Access Control List (ACL) of the principals that can launch classes that do not specify their own ACL through the LaunchPermission named-value

This value contains the ACL of the principals who can launch classes on the current system. If the LaunchPermission named-value is set for a server, it takes precedence over the DefaultLaunchPermission named-value. Upon receiving a local or remote request to launch a server whose APPID key has no LaunchPermission value of its own, the ACL described by this value is checked while impersonating the client, and its success either allows or disallows the launching of the class code.

This entry supports a simple level of centralized administration of the default launching access to otherwise unadministered classes on a machine. For example, an administrator might use the DCOMCNFG tool to configure the system to allow read-access only for power-users of the machine. OLE would therefore restrict requests to launch class code to members of the power-users group. The administrator could subsequently configure launch permissions for individual classes to grant the ability to launch class code to other groups or individual users as needed.

The access-permissions in this named-value default to the following:

  • machine-administrators: allow-launch
  • SYSTEM: allow-launch
  • INTERACTIVE: allow-launch
Security Note   Enabling this feature enables remote access to COM objects on your device.
DefaultAccessPermission = ACL : REG_BINARY Sets the Access Control List (ACL) of the principals that can access classes for which there is no AccessPermission setting. This ACL is only used by applications that don't call CoInitializeSecurity and do not have an AccessPermission value under their AppID.

The DefaultAccessPermission is a named-value that is set to a REG_BINARY that contains data describing the ACL of the principals who can access classes for which there is no AccessPermission named-value. In this case, the COM runtime in the server checks the ACL described by this value while impersonating the caller that is attempting to connect to the object, and its success determines if the access is allowed or disallowed. If the access-check fails, the connection to the object is disallowed. If this named value does not exist, only the server principal and the local system are allowed to call the server.

This named-value supports a simple level of centralized administration of the default connection access to running objects on a machine.

By default, this named-value has no entries in it. Only the server principal and system are allowed to call the server.

Security Note   Enabling this feature enables remote access to COM objects on your device.
LegacyAuthenticationLevel= default_authentication_level : REG_DWORD Sets the default authentication level for applications that do not call CoInitializeSecurity.

The values from 1 through 6 are valid. The following list shows the RPC_C_AUTHN_LEVEL_xxx constants to which they correspond:

  • 1 = RPC_C_AUTHN_LEVEL_NONE
  • 2 = RPC_C_AUTHN_LEVEL_CONNECT

When this named-value is not present, the default authentication level established by the system is 2 (RPC_C_AUTHN_CONNECT).

LegacyImpersonationLevel= default_impersonation_level : REG_DWORD Sets the default level of impersonation for applications that do not call CoInitializeSecurity.

The values from 1 through 4 are valid. The following list shows the RPC_C_IMP_LEVEL_xxx constants to which they correspond:

  • 1 = RPC_C_IMP_LEVEL_ANONYMOUS
  • 2 = RPC_C_IMP_LEVEL_IDENTIFY
  • 3 = RPC_C_IMP_LEVEL_IMPERSONATE
  • 4 = RPC_C_IMP_LEVEL_DELEGATE

When this named-value is not present, the default impersonation level established by the system is 2 (RPC_C_IMP_LEVEL_IDENTIFY). NTLMSSP on Windows NT 4.0 supports only RPC_C_IMP_LEVEL_IDENTIFY and RPC_C_IMP_LEVEL_IMPERSONATE. In Windows 2000, the Kerberos v5 protocol supports RPC_C_IMP_LEVEL_DELEGATE. However, RPC_C_IMP_LEVEL_ANONYMOUS is not supported by either Windows NT 4.0 or 5.0.

LegacyMutualAuthentication : REG_SZ Determines whether mutual authentication is enabled. This value provides the default setting for use of mutual authentication for all applications that do not call CoInitializeSecurity. Values of "Y" or "y" indicate that mutual authentication is enabled. Any other value or the lack of this named-value implies that mutual authentication is disabled.
Note   Mutual authentication is not supported and is not available by default with Windows NT 4.0. This named-value is only useful if the network administrator installs a security provider that supports mutual authentication.
LegacySecureReferences= ACL : REG_SZ Determines whether AddRef/Release invocations use COM security functionality for applications that do not call CoInitializeSecurity. This value provides the default setting that helps to secure IUnknown::AddRef and IUnknown::Release method invocations for all applications that do not call CoInitializeSecurity. Values of "Y" or "y" indicate that AddRef/Release uses COM security functionality. Any other value or the lack of this named-value implies that AddRef/Release does not use such functionality. Enabling COM security functionality slows remote calls.

See Also

COM Security | COM Registry Settings | COM Access Control | Component Services (COM and DCOM) | Enhancing the Security of a Device

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.