COM and DCOM Security (Windows CE 5.0)
COM provides an infrastructure to expose functional objects to applications. Distributed COM (DCOM) enables programmatic calls from an application to COM objects on remote devices. This technology has potential security risks when deployed to run over a public network, such as the Internet. If the security of the technology is compromised, it could expose the device or local network to the public network.
There are two levels of security to consider when you implement a distributed application:
- Network security helps control who can access a computer. At this security level, Distributed Component Object Model (DCOM) security on Windows CE is equivalent to that of the Windows NT 4.0, SP5, implementation, which uses the Windows NT LAN Manager system security package (NTLM SSP). For more information, see COM Authentication.
- Local security helps control what a user is permitted to do on a computer after gaining access. This security level is defined by the operating system on the target computer. Windows CE helps regulate access to critical parts of the system as a whole, instead of on a resource-by-resource basis as is done on Windows NT. For more information, see COM Access Control.
Best Practices
Use authentication
DCOM security on Windows CE is equivalent to that of the Windows NT 4.0, SP5, implementation, which uses the NTLM Security Support Provider (NTLM SSP). DCOM uses the NTLM protocol to help establish user credentials if the flag RPC_C_AUTH_WINNT is selected. For more information, see COM Authentication.
Use DCOM in a private network
Limit deployment of DCOM to a secure network that is physically isolated or protected by a firewall from the public network, such as the Internet. By default, the remoting capability of DCOM is disabled to help provide a more secure environment for the device. This enables the DCOM's local server capabilities and still allows the device to be connected to the Internet. To enable the remoting capability, set the Sysgen variable, SYSGEN_DCOM_REMOTEACCESS, to 1.
Use access control
You can setup a list of users and permission levels in the registry. For more information, see COM Access Control.
Default Registry Settings
You should be aware of the registry settings that impact security. Security Note entries in the registry settings documentation explain security implications.
For information, see COM and DCOM Registry Settings.
See Also
Component Services (COM and DCOM) | Enhancing the Security of a Device
Send Feedback on this topic to the authors