How you set up COM security for your application depends on what kind of security your application needs. There are several common situations that determine what you should do.
If you decide to use the COM security defaults, you do not have to do anything — COM handles it all. For information on what these default settings are, see COM Security Defaults.
You can also prevent any remote calls into your machine by disabling DCOM altogether (COM between remote machines). For more information, see Activation Security and Disabling DCOM.
For legacy or new applications, you can set process-wide security in the registry. For more information, see Setting Process-wide Security through the Registry.
You can also override default security settings for calls to certain interfaces in the process, while setting default security for the remainder of the process (to allow COM to handle the general cases). For more information, see Setting Process-wide Security with CoInitializeSecurity and Setting Security at the Interface Proxy Level.
For complex security requirements, you can handle all security programmatically, rather than allowing COM to handle it for you. To do this, call CoInitializeSecurity to disable automatic authentication, and then control all the security settings by setting security on a per-interface proxy basis. For more information, see Setting Process-wide Security with CoInitializeSecurityand Setting Security at the Interface Proxy Level.
In some scenarios, you might want to turn security off completely. You might decide that your application does not need any security, or you might want to disable security during development time so that you can enable security features individually. To learn how to disable COM security, see Turning Security Off.
Most of the preceding options are open to you if you run your application under Windows 95, but there are some limitations. For more information, see COM Security and Windows 95.
You can also run a server as a given user account by setting the RunAs named-value. This setting can be used to restrict or enhance available operations. For more information, see Installing as a Win32 Service or User Account.
Security in COM relies on authentication services administered by security packages. The default security package for Windows NT is NTLMSSP (Windows NT LAN Manager Security Support Provider). This package works well for many applications, but does not provide the more robust security offered by other packages. Therefore, for Windows NT 5.0, COM now supports the SChannel security package, which uses certificate-based security for its SSL and PCT protocols. Starting with beta 2 of Windows NT 5.0, the Kerberos security package is also supported. For more details on using these security packages, refer to COM and Security Packages.