DCOM Security Limits

Microsoft has taken measures to increase security related to DCOM processes in Windows 2003 SP1 and later. These enhancements, designed to reduce operating system security concerns, are outlined in various documents and articles in the Microsoft Knowledge Base (http://search.microsoft.com).

In order for the CIC Server's DCOM components to function correctly and in a secure manner, Windows' DCOM security permissions must be modified to include the domain accounts of all CIC users. An example of a CIC Server DCOM process is the CIC Authentication Service. If the DCOM permissions are not set correctly, CIC client authentication will fail and the users must enter their CIC user and password.

Select the level of security needed for your site. The recommended level of security is to allow authenticated users.

For security pre-installation procedures, see the PureConnect Installation and Configuration Guide.

You may wish to use re-run IC Setup Assistant to set the DCOM security permissions to a more restrictive level.

Allow Everyone

(Not recommended, least security). This option adds all rights to the Everyone group. If a Windows Domain (NT Authenticated Users) group exists, it will be removed. This option should be used only in small environments that do not have the option to perform NT Authentication.

Allow Authenticated Users

(Recommended, medium security) This option adds all rights to the Windows Domain (NT Authenticated Users) group and removes remote launch/activate from the Everyone group. This is the default selection.

Add pre-configured group(s) containing all IC user's domain accounts

(Highest security) For a tighter level of security, you can add pre-configured Active Directory User group(s) or Local User group(s) (for example, workgroups). Setting up an Active Directory User group conforms to the Microsoft method of administering permissions based on Active Directory groupings. This option adds all rights to the specified groups, restores the Everyone group back to the defaults and removes the Windows Domain (NT Authenticated) Users group if it exists.  

Groups

You may have already created the group(s) as a pre-installation procedure described in the PureConnect Installation and Configuration Guide. If you have not done so, do so now. Follow standard Windows procedures for Active Directory or Local User group(s.)

Enter the group(s). Separate multiple groups with commas. Setup Assistant will perform a validation check with Active Directory before setting the group(s).

Note: If you are re-running IC Setup Assistant to modify groups, please note that groups can be added, but cannot be removed.

IC Survey Location: This information may be included in the IC Survey file. If so, the selection/value will appear in this dialog. You can review the contents of the IC Survey file by selecting View Survey in the Load IC Survey File dialog or opening it in a Pre-Install survey in the IC Survey system.