Configuring MFCOM Launch Permissions

Added by Vishal Ganeriwala , last edited by Vishal Ganeriwala on Oct 02, 2007
Tags: 

Summary

MFCOM launch permission is configured using the DCOMCNFG tool.
The launch permission specifies who is given or denied the ability to create MFCOM objects. Because MFCOM can only enforce access permission using impersonation, the launch permission is out of the scope of the MFCOM process. MFCOM cannot control access attempts made to it by the system.
Although MFCOM is able to deny unauthorized accesses once an object has been created, the launch permission should be configured properly to allow only authorized users to create objects in MFCOM. Denial of service attacks may cause too many objects being created and deleted if unauthorized users are allowed to launch MFCOM objects.
The system maintains a default DCOM launch permission that can be used by all COM servers. It also allows each COM server to use its own launch permission, which overrides the default launch permission.

Configuring the Default DCOM Launch Permissions On Windows 2000

  1. Run the DCOMCNFG tool at a command line prompt and click the Default Security tab.

  1. In the Default Launch Permissions area, click the Edit Default button.

  1. In this dialog box, you can perform the following actions:
    1. To add users or groups, click Add and complete the fields.
    2. To remove a user or group form the list, highlight the user or group and click Remove .
    3. To configure the type of access for a selected user or group, highlight the group and select either Allow Launch or Deny Launch Permission from the Type of Access drop-down list.

Configuring the DCOM Launch Permissions For MFCOM On Windows 2000

  1. Run the DCOMCNFG tool at a command line prompt and click the Applications tab.

  1. Scroll through the list of applications and double-click MetaFrame DCOM Server 5.0 .
  2. Click Properties .

  1. Click the Security tab.

  1. Select Use custom launch permissions and click Edit . The Configure Default DCOM Launch Permission On Windows 2000 dialog box appears. Follow step 3 in the Configuring Default DCOM Launch Permission On Windows 2000 procedure to finish configuring the launch permissions for MFCOM.

Configuring the Default Launch Permissions On Windows 2003

  1. Run the DCOMCNFG tool at a command prompt.

  1. Expand Component Services and Computers .

  1. Right-click My Computer and select Properties .

  1. Click the Default COM Security tab.

  1. In the Launch Permissions area, click Edit Default .

  1. In this dialog box, you can perform the following actions:
    1. To add users or groups, click Add and complete the fields.
    2. To remove a user or group form the list, highlight the user or group and click Remove .
    3. To configure the type of access for a selected user or group, highlight the group and select either Allow or Deny in the Permissions for Administrators window.

Configuring the MFCOM Launch Permissions On Windows 2003

  1. Run the DCOMCNFG tool at a command prompt.


1. Expand Component Services > Computers > DCOM Config .

3. Right-click the MetaFrame COM Server node and select Properties .

4. Click the Security tab.

5. In the Launch Permissions area, click the Customize option and click Edit .

6. In this dialog box, you can perform the following actions:

  • To add users or groups, click Add and complete the fields.
  • To remove a user or group form the list, highlight the user or group and click Remove .
  • To configure the type of access for a selected user or group, highlight the group and select either Allow or Deny in the Permissions for Administrators window.

  • Add to Bookmarks