You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. This policy setting allows you to specify an ACL in two different ways. These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device. They provide a minimum security standard that must be passed, regardless of the settings of the specific server. These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. This policy setting controls access permissions to cover call rights. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. If the access check fails, the call, activation, or launch request is denied. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. These controls restrict call, activation, or launch requests on the device. This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. Describes the best practices, location, values, and security considerations for the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting.
0 kommentar(er)
