WinSecWiki > Security Settings > Local Policies > Security Options > DCOM > Machine Access Restrictions In SDDL

DCOM: Machine Access Restrictions In Security Descriptor Definition Language (SDDL) syntax

DCOM stands for Distributed COM and COM stands for Component Object Model (COM). COM is the standard method for communication between client/server apps and highlevel APIs for Windows developers. DCOM users Remote Procedure Call to expose COM objects on a computer to remote clients on other computers. 

Prior to XP SP2 (and the introduction of these 2 DCOM security settings), it was difficult for an administrator to assess or control which COM objects were available to remote users and this is even more important since COM objects can allow anonymous access. Each COM object has its own ACL and you would have had to look at each COM object's ACL to determine if remote access were allowed and to whom. This policy and DCOM: Machine Launch Restrictions In Security Descriptor Definition Language (SDDL) syntax put a system wide access check that all DCOM clients (local or remote) must pass before hitting the individual COM object's ACLs. 

I liken this system-wide DCOM check to share permissions on a shared folder. Many files may be accessible through a given network share and each file may have it's own unique permissions but you must first pass the share level permissions before the file permissions are checked. 

Security Descriptor Definition Language (SDDL) is a way of defining ACLs in text format. Security Descriptor Definition Language provides more information on SDDL. 

What's the difference between this setting and DCOM: Machine Launch Restrictions In Security Descriptor Definition Language (SDDL) syntax ? Launch security controls which COM object classes a client can "instantiate" (i.e. create a server object - analogous to starting a service). Access security controls subsequent DCOM access calls. 

For more information on DCOM security settings this is a good article at Microsoft: 

Bottom line

By default this policy is pretty strong already. Remote access is limited to authenticated users; then each object's ACL should control exactly who can access what. Anonymous connects have no DCOM access. Therefore I would leave this setting at its default unless you want to block all users from accessing the computer via DCOM.

Back to top


Additional Resources
    Machine Access Restrictions In SDDL
    Machine Launch Restrictions In SDDL