Normally, activation uses default security settings. However, you can control activation security by specifying a COAUTHINFO structure, which is a member of the COSERVERINFO structure that is passed to the activation functions. If the client specifies an authentication level of RPC_C_AUTHN_LEVEL_NONE in the COAUTHINFO structure, authentication is not attempted. Otherwise, secure activation is attempted, and if authentication fails, activation fails.
If the client does not specify an explicit COAUTHINFO structure and instead sets the pointer to NULL, COM will attempt to authenticate the client. If it cannot authenticate the client, COM checks the launch permission security descriptor to see if there is a NULL DACL or an ACL that allows access to Everyone. If this check succeeds, the server is launched. So, even if the client does not specify a COAUTHINFO structure, unsecure activation may take place when the server allows it.
Why would a client want to turn activation security off explicitly even though unsecure activation will eventually take place if the server allows it? Explicitly turning activation security off increases performance when the client does not want or need security checks.
Both of the following things must be done to explicitly turn off activation security: