Three factors determine the security settings for IUnknown:
Setting secure reference counting tells COM to authenticate distributed AddRef and Release calls. To set secure reference calls, specify the EOAC_SECURE_REFS capability flag in a call to CoInitializeSecurity. For legacy applications, the LegacySecureReferences key in the registry can be used to enable secure reference counting. You can also use Dcomcnfg.exe to enable secure reference counting as a machine-wide default setting (see Setting Machine-wide Reference Tracking). When secure reference counting is enabled, COM keeps per user reference counts so that a user can only call Release on objects that the user had previously called AddRef on. Although secure reference counting can decrease performance, it ensures that no matter how many times a given user calls Release, the objects and stubs will still exist if someone else has a reference to them.
If secure reference counting is enabled, IUnknown always uses default security settings. In this case, calls to CoSetProxyBlanket on IUnknown will fail.
If secure reference counting is turned off, the application can change the security settings for IUnknown by calling CoSetProxyBlanket on IUnknown. In this case, the specified security settings will be used for all future calls to IUnknown on any proxy on that object. To change the security settings for IUnknown, you must first call QueryInterface for IUnknown and then call CoSetProxyBlanket on the returned interface pointer, which is a pointer to the proxy manager. If you call CoSetProxyBlanket on any other interface, security settings for IUnknown will not be affected. Prior to Windows NT 4.0 SP 4, calls to CoSetProxyBlanket on IUnknown only affected QueryInterface, not AddRef or Release.
If secure reference counting is turned off and CoSetProxyBlanket was not called on IUnknown, IUnknown has the default security settings. For example, suppose the client called CoInitializeSecurity with authentication level RPC_C_AUTHN_LEVEL_CONNECT and impersonation level RPC_C_IMP_LEVEL_IDENTIFY. But the server called CoInitializeSecurity using the encrypt authentication level (RPC_C_AUTHN_LEVEL_PKT_PRIVACY) and impersonation level RPC_C_IMP_LEVEL_IMPERSONATE. In this case, calls to IUnknown would be made at encrypt and identify, which are the negotiated default security settings.