Active@ Undelete - Data Recovery Software     

< File Recovery Software >

    Active@ Undelete - Data Recovery Software  
 

Home

Products

Partners

Contacts

  
 

Users Guide

Contents > Concepts

 

   3.3.3. Setting Machine-Wide Security

All applications do not provide access security. Set machine-wide security when you want to apply common security settings for all users. Dcomcnfg.exe makes it easy to set default values in the registry that apply to all applications on a machine.

It is important to understand that if a client or server utility explicitly sets a security level that affects the system process-wide, default settings in the registry will be ignored. Also, if Dcomcnfg.exe is used to specify security settings for a specific process, the default machine settings will be overridden by the settings for the adjusted process.

When enabling machine-wide security, set the authentication level to a value other than None. Set launch and access permissions. Setting the default impersonation level, and reference tracking settings are optional.

The following topics in this section provide step-by-step procedures:

Default Authentication Level

The authentication level tells COM the level at which the client is authenticated. Various levels of protection are offered, ranging from no protection to full encryption.

Choose a setting using Dcomcnfg.exe, by completing the following steps.

  1. Run Dcomcnfg.exe.
  2. Click the Default Properties tab.
  3. From the Default Authentication Level list box, choose any value other than None.
  4. To continue setting machine properties, click the Apply button. The new authentication levels will be applied.
  5. When complete, click OK to apply the changes and exit Dcomcnfg.exe.

Launch Permissions

The launch permissions set with Dcomcnfg.exe explicitly grants or denies permission to launch any server that does not provide its own launch-permission settings. Add or remove users or groups, specifying permission.

Follow these steps to set launch permissions for a machine:

  1. In Dcomcnfg.exe, click the Default Security tab.
  2. On the Property page, click Edit Default button in the Default Launch Permissions area.
  3. To remove users or groups, select the user or group you want to remove and click the Remove button. When you have finished removing users and groups, click OK.
  4. To add a user or group, click the Add button. Enter a user name in the Add Names text box or select it from the user database Names list box and click the Add button.
  5. Select access type from the Type of Access list box, (Allow Launch or Deny Launch).
  6. Add all users with the same type of access by entering names or choosing them from the list until finished, then click OK to apply changes.
  7. To add users with different user access, repeat steps 5 and 6.

Access Permissions

Set access permissions for access to servers that do not provide their own access permissions. Add or remove users or groups, specifying permission.

Note: When setting access permissions, ensure that SYSTEM is included in the list of users. Granting access permissions to Everyone, includes SYSTEM implicitly.

The process of setting access permissions for a machine is similar to setting launch permissions, as described above. Here is a summary of the steps:

  1. On the Default Security property page, click Edit Default.
  2. To remove users or groups, select them and click Remove. When complete, click OK.
  3. To add a user or group, click the Add button. Enter a user name in the Add Names text box or select it from the user database Names list box and click the Add button.
  4. Select access type from the Type of Access list box, (Allow Launch or Deny Launch).
  5. Add all users with the same type of access by entering names or choosing them from the list until finished, then click OK to apply changes.
  6. To add users with different user access, repeat steps 5 and 6.

 

Impersonation Level

The impersonation level, set by the client, determines the amount of authority given to the server to act on the client's behalf. For example, when the client has set its impersonation level to delegate, the server can access local and remote resources as the client, and the server can cloak over multiple machine boundaries (provided the cloaking capability is set).

To set the impersonation level for a machine:

  1. In Dcomcnfg, click the Default Properties tab.
  2. From the Default Impersonation Level list box, click impersonation level you want.
  3. To continue setting machine properties, click the Apply button. The new authentication levels will be applied.
  4. When complete, click OK to apply the changes and exit Dcomcnfg.exe.

Reference Tracking

This function asks COM to do additional security checks and to keep track of information that will keep objects from being released too early. Keep in mind that these additional checks are expensive.

Use the following steps to enable or disable reference tracking. To set reference tracking for a machine:

  1. In Dcomcnfg, click the Default Properties tab.
  2. Enable or disable the Provide additional security for reference tracking check box near the bottom of the page.
  3. To continue setting machine properties, click the Apply button. The new authentication levels will be applied.
  4. When complete, click OK to apply the changes and exit Dcomcnfg.exe.

Enabling and Disabling DCOM

When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer, but doing so will disable all communication between objects on that computer and objects on other computers.

Disabling DCOM on a computer has no effect on local COM objects. COM still looks for launch permissions that you have specified. If no launch permissions have been specified, default launch permissions are used. Even if you disable DCOM, if a user has physical access to the computer, they could launch a server on the computer unless you set launch permissions not to allow it.

Warning If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.

To manually enable (or disable) DCOM for a computer:

  1. In Dcomcnfg, click the Default Properties tab.
  2. Enable or disable the Enable Distributed COM on this Computer check box.
  3. To continue setting machine properties, click the Apply button. The new authentication levels will be applied.
  4. When complete, click OK to apply the changes and exit Dcomcnfg.exe.

 

Previous < Contents > Next

 

Home  |  Partners  |  Order  |  Products  |  About Us

Active@ UNDELETE © 1998-2008 Active@ Data Recovery Software