DCOM Security Blankets

The set of services and parameters that can be configured in order to specify the security settings for a DCOM component is called the 'security blanket'. This is essentially a packaging of security parameters. By bundling security parameters in a package, the negotiation process between the client and the server can be made 'network efficient'. Instead of negotiating each parameter across the network with multiple round trips, only a single round trip is required to complete the negotiation. We'll see how this is possible in the next section.

The parameters contained in the security blanket include:

Parameter Meaning
Authentication service The SSPI to use for authentication, e.g. NTLM.
Authentication level The degree to which to authenticate the access to the object and ensure the privacy of the communications over the connection. These are identical to the security levels of Authenticated RPC.
Server principle The user security context under which the COM server is running.
Impersonation level The degree of ‘similarity’ to the client being impersonated which the COM server is allowed during its execution. For example, it is possible to restrict the COM server to only query rights to security information, but not actually impersonate the client.
Authentication identity The identification of the client, as seen by the server. Usually a user name.

© 1997 by Wrox Press. All rights reserved.