Microsoft KB Archive/810564

= HOW TO: Create COM Servers in the World Wide Web Worker Process =

Article ID: 810564

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-





IN THIS TASK


 * SUMMARY
 * View the Current Launch Permissions for an Object
 * Modify Default Launch Permissions for an Application
 * Provide More Security While Easing the Administrative Burden



SUMMARY
This step-by-step article describes how to configure launch permissions for out-of-process DCOM server objects that are created by distributed Web applications that are running on Internet Information Services (IIS) 6.0.

back to the top

View the Current Launch Permissions for an Object
Because of changes in Microsoft Windows Server 2003 Component Object Model (COM) services and IIS 6.0, you must carefully plan security when you create Web applications. IIS 6.0 implements a new process model that causes all worker processes to run under an identity other than Local System to help prevent security vulnerabilities. When you create a DCOM object in an Active Server Pages (ASP) page, an Internet Server API (ISAPI) extension, or any other application that is run through IIS, the identity of the worker process is used to launch the object.

If the identity of the worker process does not have launch permissions for that object, the object creation will not be successful. Therefore, you must correctly configure the launch permissions for any DCOM objects that are launched through IIS. You must grant sufficient user rights to allow the IIS worker processes to successfully create the object without granting sufficient rights to present a security risk.
 * 1) Click Start, and then click Control Panel.
 * 2) Double-click Administrative Tools.
 * 3) Double-click Component Services.
 * 4) In the left pane of Component Services, double-click Component Services, double-click Computers, and then click My Computer.
 * 5) Click the DCOM Config folder.
 * 6) In the right pane, find the object for which you want to modify the default launch permissions. Right-click the object's icon, and then click Properties.
 * 7) Click the Security tab.
 * 8) Under Launch Permissions, click Customize, and then click Edit.

back to the top

Modify Default Launch Permissions for an Application
Microsoft does not recommend that you modify the default launch permissions for an application. If you must do this, follow these steps:
 * 1) Follow the steps in the View the Current Launch Permissions for an Object section to view the current launch permissions for an application.
 * 2) Click Add, and then type the name of the user or group that must be granted launch permissions.
 * 3) Click OK.
 * 4) Click the name of the user or group that you just added, and then click to select the Allow check box (next to Launch Permission). Alternatively, you can explicitly prevent a user from launching this object. To do this, click to select the Deny check box next to Launch Permission.

Note Microsoft does not recommend that you grant launch permissions to any application for the built-in group NT AUTHORITY\Network. This is both because of the size of the group and because of the security risk that this configuration presents.

back to the top

Provide More Security While Easing the Administrative Burden
To help provide more security while you ease the administrative burden, Microsoft recommends the following:
 * Instead of adding individual users directly to the launch permissions for an object, create a group on the computer that the DCOM object runs on, add the individual users to this group, and then add this group to the launch permissions for the object.
 * If you create the object from an ISAPI extension's GetExtensionVersion method, from an ISAPI filter, or from an ISAPI extension that is running as the identity of the current process, add the IIS_WPG group to the launch permissions of the object also.

Note the following:  This process does not apply to &quot;unconfigured&quot; in-process COM objects (that is, standard COM DLLs that are not registered in COM+) because DCOM Launch and Access checks are not made in this scenario. This process does not apply to &quot;configured&quot; COM+ objects (that is, objects that are registered in the COM+ catalog) because DCOM Launch and Access checks are based on the roles of the corresponding COM+ application. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

810153 PRB: Access check is enabled by default when a COM application is created



back to the top

Keywords: kbhowtomaster KB810564

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.