Show Hide

 

Feedback

  • Contents
 

(Optional) Pre-configure groups for high security DCOM settings

Microsoft has taken measures to increase security in each subsequent release of Windows Server with regard to DCOM processes. These enhancements, designed to reduce operating system security concerns, are outlined in various documents and articles in the Microsoft Knowledge Base (http://search.microsoft.com).

In order for the CIC server's DCOM components to function correctly and in a secure manner, Windows' DCOM security permissions must be modified to include the domain accounts of all CIC users. An example of a CIC server DCOM process is the IC Authentication Service. If the DCOM permissions are not set correctly, CIC client authentication will fail and the users must enter their CIC user and password when they log in to the CIC client.

When you run the IC Setup Assistant to configure the CIC server, you will have the opportunity to indicate whether the DCOM permissions should be set for the following security levels:

  • Allow Everyone (Not recommended, least security). This option adds all rights to the Everyone group. If a Windows Domain (NT Authenticated Users) group exists, it will be removed. This option should be used only in small environments that do not have the option to perform NT Authentication.

  • Allow Authenticated Users (Recommended, medium security) This option adds all rights to the Windows Domain (NT Authenticated Users) group and removes remote launch/activate from the Everyone group. This is the default selection.

  • Add pre-configured group(s) containing all CIC users' domain accounts (Highest security) For a tighter level of security, you can add pre-configured Active Directory User group(s) or Local User group(s) (for example, workgroups). Setting up an Active Directory User group conforms to the Microsoft method of administering permissions based on Active Directory groupings. This option adds all rights to the specified groups, restores the Everyone group back to the defaults and removes the Windows Domain (NT Authenticated) Users group if it exists.

If you choose the default setting (or lower), IC Setup Assistant will automatically set the permissions — no further work is required.

Create groups

If you wish to set the DCOM permissions at a tighter level of security, you or the Domain Administrator should follow standard Windows procedures to create the appropriate Active Directory or Local User group(s) prior to running IC Setup Assistant. IC Setup Assistant will prompt for these group names.