An application that uses DDE will normally use either the DDE message protocol or use the DDE function set. For this discussion an application can act as a “window-based client” (WC), an “API-based client” (AC), a “window-based server” (WS), or an “API-based server” (AS). If the client and the server are owned by the same user, the connection is made as it is under Win3. To understand the effects of security on DDE conversations between applications owned by different users, the following scenarios must be examined:
An WC connecting to an WS.
An AC connecting to an WS.
An WC connecting to an AS.
An AC connecting to an AS.
For this conversation to succeed, the WS must have access to the WC window and the WC must have access to the WS window. If the WS does not have access to the WC, the WS cannot acknowledge the WM_DDE_INITIATE. If the WC does not access to the WS, the WC cannot send any messages to the WS.
A window is created by USER32 in behalf of the AC when it is registered. The existence of this window is hidden from the AC so that the AC cannot modify its security. Therefore, the WS will not be able to acknowledge the WM_DDE_INITIATE from the AC and the connection will fail.
For this conversation to succeed, the AS must have access to the WC window. When the AS receives the initiate request, access to the WC window is checked and if access is granted, USER32 adds access rights for the WC to the AS window. If access to the WC window is not allowed to the server the initiate request is ignored. The AS performs an access check of the WC thread token against the access object. Connection is allowed or denied according to this check.
For this type of conversation, all operations that access the windows that are used for the conversation transport are done on the server side. When a message is sent within the server, the application on whose behalf the message is being sent does not have to have access to that window. The security of these windows can be set up such that cannot be enumerated and thus be hidden from all applications. The AS performs the same AS access check on an AC as it does on a WC.