When a client user connects to a DDE share from a remote computer, network DDE accepts the request only if the following statements are true:
The process of granting trusted status to a share adds the share to the logged-on user's trusted shares list in the DSDM. This creates a trust relationship between the server and its clients. Once a DDE share has trusted status, clients can connect to it as long as the user that created the share is logged on. When the client connects to the share from a remote computer, network DDE accepts the request only if the share is listed in the logged-on user's trusted shares list in the DSDM.
Network DDE performs an additional security check when the client requests data or a link. It checks that the server has granted the remote user the necessary permission for the operation. The server controls access to the share through the pSD parameter of the NDdeShareAdd function. This parameter specifies the security descriptor. If this parameter is NULL, the function creates a default security descriptor that grants full access to the creator of the share and grants read and link permission to all other users. To grant or deny additional permissions to individual users or groups of users, create and use a security descriptor. For more information on security descriptors, see Access Control.
To obtain the security descriptor for an existing DDE share, call the NDdeGetShareSecurity function. You can edit the information and then update the security descriptor for the share by using the NDdeSetShareSecurity function.