|
Posted by Roger Abell [MVP] on October 20, 2006, 4:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options
If you have concerns about the contained information I would say that you
should manage information privacy internal to your components.
DCOM over the wire does use RPC, and secure RPC can be enabled to
require packet privacy (see DCOM settings and the settings in group policy's
security options for Network security - i.e. minimum security for NTML
SSP).
However, IMO you should not depend on this being configured correctly and
used. Otherwise, the data marshalled with DCOM is just a packaging from its
in memory footprint (although this has changed with COM/COM+ versions)
and how that data is transmitted can be controlled programmatically and/or
administratively. A component using DCOM can be configured to require
privacy (have your devs look up use of RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
but in my experience, if you leave this to the admins to configure
(dcomcnfg, nav
to components, and use authentication drop-box on general tab in properties
of the component) then things will not be reliably protected.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
> Just how secure is the data path between an automation client and
> server? Is
> it possible to intercept / listen in to the data flow? Can I safely
> assume
> it's safe or should I have some form of encryption on both sides of the
>
> conversation, if I'm sending username/password data?
>
> Kind regards,
> Bruce M. Axtens
> Internal Engineer
> Strapper Technologies
>
| 
XML site map