Windows XP SP2 Workstation DCOM Settings
After Windows XP SP2, the world "upgrade" sound, especially SP2 "does not stop non-genuine upgrade" strategy, for many people in our country, even with a fatal temptation. Based on its promotional "security center", I have implemented upgrades in two computers in the near future. Just when the upgrade is not completely disappeared, the trouble is coming.
My previous DOCM remote query system is not moving. Whenever the client wants to access the server, DCOM security its classic "reject access" will appear in a big sound. God, in order to let it run, I even started to convert the platform from the DCOM to the COM environment, in COM , after a domain and role setting, the client can finally run. However, in an accidental server test, "Security Center" prompts me, is it to prevent "DLLHOST.EX" through the firewall? In an instant, I suddenly understood why my DCOM can't work properly: it is a firewall! Lenovo's SP2 document content in solving security issues, I started to re-set the DCOM service and client, and finally it can turn! Now, I have a setup process that I have passed the "Emotion" of myself:
First, set the minimum security attribute between Windows WorkStation:
Windows uses the DCOM exchange between the standalone workstation (not in the domain) to use the NTML security package for security checks. According to the security account setting mechanism for Windows, the SID of its account is different for different Windows workstations. Even if there is an account of the same name and password on both workstations, the two are still different. account. In order to achieve DCOM across workstations, many people have discussed Windows2000, XP, where I only use I have tested the way (although the security is not good).
Server terminal settings:
1), run DCMCNFG, set the default security attribute of the computer range on [Component Service] · [Computer] · [My Computer], on the [COM Security] page of [Properties], click "Edit Limit" will "access And permissions "," Startup and Active Permissions "in the lowest remote access to" Allow "(Figure 1.1, Figure 1.2).
Figure 1.1
Figure 1.2
2) Set the server's access, and join the Everyone to "Startup and Activate Permissions" and "Access", and set all the permissions as "allowed" (Figure 1.3, Figure 1.4): Figure 1.3
Figure 1.4
When the client will import the type of application of the application server into the local computer, you do not need to do other settings. If the client is also a server, it is also necessary to set it according to the above requirements.
Second, set the firewall for Windows SP2:
Service-Terminal:
For the server of the DLL type (in-process server), DLLHOST.EXE is added to the firewall's exception and service (Figure 2.1). For the server of the Exe type (process external server), the application executable must be added to an exception program and service (Figure 2.2). This step is the premise of implementing the correct visit under SP2 (unless you disable the firewall).
Figure 2.1
Figure 2.2
Client:
The pure client only needs to add DLLHOST.EXE to the list of procedures for the firewall. For the same subject to the client / server, you still need to add the server executable to the exception list.
Third, COM settings.
Since the host loader of the COM running environment is also DLLHOST.EXE, you must run the COM server and the client to join DLLHOST.EXE to the exception list of the firewall to run smoothly.
Fourth, DCOM and safety considerations
The above setting is based on the premise premise for the hybrid user in the local local area network. This setting is not recommended security settings (even unsafe). To maintain relative security, in SP2's firewall settings, you can set their application range to limit within the specified network range, such as: within a local area network segment (Figure 4.1).
Figure 4.1
Since DCOM has more than 10 years, it has been technically speaking, although there are many fine control functions in security, many people think that mastering DCOM security and making skilled applications in the development process. Huge challenges, the negative proportion of their learning costs and application efficiency is unacceptable. Therefore, I think that DCOM application services should be transferred to COM environment as soon as possible from security or development efficiency. COM intuitive role safety mechanism and its subtle to method level security control, making most small applications do not need to be too strong in security settings. These have a very profound experience when I solve DCOM security issues: COM does not need me to call CoinitalizeSecurity, iClientSecuryity can directly control the difference between domain account, is really "xxx cool". And the COM hosted service concept is a fast path that advances to NET. Of course, we are using COM , our technology, knowledge, and business will become more and more unable to get rid of Microsoft's impact and control. However, in order to simply live a lot of compromise, what is the correct technology is not efficient, easy to use to compromise it. As long as we do not stop the exploration of other knowledge, our knowledge will not let "hardmonism". Linux open source code agreement in Sino-Japan and Korea is this.
Kunlun in the month of November 3, 2004 in Urumqi
I don't know why, I posted the picture in the article on 9CBS, I can't display correctly. If you can't see the picture, please enter my document area http://blog.9cbs.net/liangma, then view.
