Microsoft KB Archive/328522

= HOW TO: Set Access Security on Commerce Server Services by Using Dcomcnfg.exe =

Article ID: 328522

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft Commerce Server 2002 Standard Edition

-



This article was previously published under Q328522





SUMMARY
This step-by-step article describes how to set access security on Commerce Server 2002.

back to the top

Set Access Security on Commerce Server Services
After you have installed Service Pack 1, you can set access security on Commerce Server Services by using Dcomcnfg.exe. This procedure applies only to Commerce Server 2002 Service Pack 1. You cannot use Dcomcnfg.exe to set security on Commerce Server services in any earlier release of Commerce Server.

To set access security on Commerce Server services, follow these steps:
 * 1) Run Dcomcnfg.exe.
 * 2) Lock down access to a Commerce Server service.

To Run Dcomcnfg.exe

 * 1) On the Start menu, click Run, type dcomcnfg, and then click OK. You may receive one or more warning dialog boxes when Dcomcnfg.exe starts.
 * 2) In one dialog box, Dcomcnfg.exe warns you about inconsistencies in the COM application registration.
 * 3) * Click Yes to have Dcomcnfg.exe update the registry.
 * 4) * Click No to continue; this does not update the registry.
 * 5) A list of all the COM applications that have a registered AppId appears.

The following Commerce Server service names appear in the list of applications that have a registered AppId:
 * Microsoft Commerce Server DirectMailer Service
 * Microsoft Commerce Server ListManager Service
 * Microsoft Commerce Server Predictor Service

On the Default Properties tab, you can apply default settings for all DCOM applications on the server. On the Default Security tab, you can apply security settings to all DCOM applications that do not explicitly override them.

To Lock Down Access to a Commerce Server Service

 * 1) Double-click the service name in the list of COM applications.
 * 2) In the Properties dialog box, click the Security tab.
 * 3) Click Use custom access permissions, and then click Edit.
 * 4) In the dialog box, click to select the users and groups for which you want to set permissions, and then permit or deny access to the service.

NOTE: The Interactive group is for users who log on to the server locally. The Network group is for remote users who gain access to the service through DCOM.

IMPORTANT NOTE: After you change the access permissions for the services by using Dcomcnfg.exe, you must restart the service (if it is running) to have COM read and use the new security settings.

Recommended Lockdown Procedure

 * 1) Create three Microsoft Windows NT groups, one for each service. Name these new groups PredictorUsers, DirectMailerUsers, and ListManagerUsers.
 * 2) Add to these groups the user accounts that you want to gain access to these services. Verify that you include the DirectMailer service account in the group that has access to the ListManager service.
 * 3) By using Dcomcnfg.exe, configure each service to use custom access permissions.
 * 4) Remove the Interactive user from the list of users who have access to the service. This prevents unauthorized users from accessing the services when they log on to the computer locally.
 * 5) Add the Windows NT user group that you created in step 1, and then give that group access to the service.

Set Process-wide Security by Using Dcomcnfg.exe
(The following information about DCOM security, Dcomcnfg.exe, and the CoInitializeSecurity API is from MSDN. For more information, see Programming Windows Security by Keith Brown (Addison Wesley, 2000).)

If you want to set security for a whole process, you can set the security levels you want in the registry. If your application cannot call the CoInitializeSecurity function, or if you do not want to use programmatic security, this might be a good option. If you decide to set process-wide security by using the registry, note that if you call CoInitializeSecurity in your application, COM uses the values in CoInitializeSecurity and ignores the registry values.

You might want to turn on security for a specific application if the application requires security settings that are different from those that other programs on the computer require. For example, you might want to use computer-wide settings for your programs that require a low level of security, and then set a higher level of security for a specific application.

However, security settings in the registry that apply to a specific application are not always used. For example, the application-wide settings that you set in the registry by using Dcomcnfg.exe are overridden if a client calls CoSetProxyBlanket to set security for a specific interface proxy. Also, if a client or server (or both) calls CoInitializeSecurity to set security for a process, the settings in the registry are ignored. Instead, the parameters that are specified to CoInitializeSecurity are used.

Security Settings
When you turn on security for an application, you may have to change several settings. These include authentication level, location, start permissions, access permissions, and identity. For step-by-step procedures, see the following topics in this section:
 * Set the Authentication Level for an application
 * Set the Location for an application
 * Set Start Permissions for an application
 * Set Access Permissions for an application
 * Set the Identity for an application
 * View the User Database
 * View the User Database

Set the Authentication Level for an Application
To turn on security for an application, you must set an authentication level other than None. The authentication level tells COM how much authentication protection is required. The level can range from authenticating the client at the first method call to fully encrypting parameter states. For more information about authentication levels, see RPC_C_AUTHN_LEVEL_xxx.

To set the authentication level for an application, follow these steps:
 * 1) In Dcomcnfg.exe, on the Applications page, select the application, and then click Properties.
 * 2) On the General tab, in the Authentication Level list box, select an authentication level other than (None).
 * 3) If you want to set other properties for this application, click Apply to apply the new authentication level. If you do not want to set other properties for this application, click OK to apply this setting and close the Properties dialog box.

Set the Location for an Application
The location that you set for your application determines the computer on which the application runs. You can run your application on the computer where the data is located, or on the computer that you use to set the location, or on a different computer that you specify.

To set the location for an application, follow these steps:
 * 1) In Dcomcnfg.exe, on the Applications page, select the application, and then click Properties.
 * 2) In the Properties dialog box, on the Location tab, click to select one or more check boxes that correspond to locations where you want the application to run. If you select more than one check box, COM uses the first one that applies. If you are running Dcomcnfg.exe on the server computer, always select Run Application On This Computer.
 * 3) If you want to set other properties for this application, click Apply to apply the new authentication level. If you do not want to set other properties for this application, click OK to apply this setting and close the Properties dialog box.

Set Start Permissions for an Application
You can use Dcomcnfg.exe to set start permissions to control the list of users who are granted or denied permission to start a particular server. You can add users or groups to the list by specifying whether access permission is granted or denied. You can also remove users from the list.

To set start permissions for an application, follow these steps:
 * 1) In Dcomcnfg.exe, on the Applications page, select the application, and then click Properties.
 * 2) In the Properties dialog box, on the Security tab, click to select Use custom launch permissions, and then click Edit.
 * 3) To remove users or groups, in the list box, select the user or group that you want to remove, and then click Remove. The selected user or group no longer appears in the list box. When you have finished removing users and groups, click OK.
 * 4) If you want to add users or groups, click Add.
 * 5) If you know the fully qualified user name that you want to add, type it in the Add Names text box. If you do not know the user name, you can view the user database to locate it. When you have located the user name, select the user or group from the Names list box, and then click Add.
 * 6) In the Type of Access list box, select the access type (either Allow Launch or Deny Launch). To add other users whom you want to have the selected type of access, repeat step 5. When you have finished adding users for the selected access type, click OK.
 * 7) To add users whom you want to have a different type of access, repeat steps 5 and 6. When you have finished adding users, click OK to apply the changes.

Set Access Permissions for an Application
You can use Dcomcnfg.exe to control the list of users who are granted or denied access to the methods of a specified server by setting access permissions. You can add users or groups to the list, and then specifying whether access permission is granted or denied. You can also remove users from the list.

When you set access permissions, you must verify that System is included in the list of users who have access. If you have granted access permissions to Everyone, System is included implicitly.

To set access permissions for an application, follow these steps:
 * 1) In Dcomcnfg.exe, on the Applications page, select the application, and then click Properties.
 * 2) On the Security tab, click Use custom access permissions, and then click Edit.
 * 3) To remove users or groups, select the user or group that you want to remove, and then click Remove. The selected user or group no longer appears in the list box. When you have finished removing user and groups, click OK.
 * 4) If you want to add a user or a group, click Add.
 * 5) If you know the fully qualified user name you want to add, type it in the Add Names text box. If you do not know the user name, you can view the user database to locate it. When you have located the user name, select the user or group in the Names list box, and then click Add.
 * 6) In the Type of Access list box, select the access type (either Allow Access or Deny Access). To add other users whom you want to have the selected type of access, repeat step 5. When you have finished adding users for the selected access type, click OK.
 * 7) To add users whom you want to have a different type of access, repeat steps 5 and 6. When you have finished adding users, click OK to apply the changes.

Set the Identity for an Application
An application's identity is the account that is used to run the application. The identity can be that of the user who is currently logged in (the interactive user), the user account of the client process that launched the server, a specified user, or a service. You can use Dcomcnfg.exe to select one of these identities for the application. For help to decide which identity to set for your application, see &quot;Application Identity&quot;.

To set identity for an application, follow these steps:
 * 1) In Dcomcnfg.exe, on the Applications page, select the application, and then click Properties.
 * 2) On the Identity tab, click to select the identity that you want. If you select This User, you must type the user name, the password, and the confirmed password.
 * 3) If you want to set other properties for this application, click Apply to apply the new identity. If you do not want to set other properties for this application, click OK to apply this setting and close the Properties dialog box.

View the User Database
You can view the user database in Dcomcnfg.exe when you want to find the fully qualified user name for a particular user. For example, you can view the user database to locate a user whom you want to add to a list for access or start permissions.

To view the user database, follow these steps:
 * 1) In the List Names From list box, select the domain that contains the user or group that you want to add.
 * 2) To see the users who belong to the selected domain, click Show Users.
 * 3) To see the members of a specific group, in the Names list box, select the group, and then click Members.
 * 4) If you cannot locate the user or group that you want to add, click Search. This opens the Find Account dialog box. Select the domain that you want to search (or select Search All), type the user name that you want to locate, and then click Search.

Additional query words: plutonium

Keywords: kbproductlink kbfix kbhowto kbhowtomaster kbnofix kbpending KB328522

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.