COM

COM . , NT (nonremotable) ( , , ) , , . Windows NT 4.0 COM , . , COM RPC, COM RPC.

COM : (authentication), (access control) (token management). , : , , . , . , . COM , COM, . ; , , - " " NT. COM , .

COM . DCOMCNFG. ( ), COM. ( ) API- . DCOMCNFG.EXE API- . , DCOMCNFG.EXE.

COM RPC (impersonation). , RPC , . (protocol sequences) ( , "ncadg_ip_udp"), DLL. COM. RPC , . , DLL . DLL SSPI (Security Support Provider Interface ), Internet Draft Standard GSSAPI.

. :

 enum {   RPC_C_AUTHN_NONE = 0,         // no authentication package                                 //        RPC_C_AUTHN_DCE_PRIVATE = 1,  // DCE private key (not used)                                 //     DCE (   )   RPC_C_AUTHN_DCE_PUBLIC  = 2,  // DCE public key (not used)                                 //     DCE (   )   RPC_C_AUTHN_DEC_PUBLIC  = 4,  // Digital Equip, (not used)                                 //     (   )   RPC_C_AUTHN_WINNT       = 10, // NT Lan Manager                                 //       NT   RPC_C_AUTHN_GSS_KERBEROS,   RPC_C_AUTHN_MQ          = 100, // MS Message Queue package                                  //   MS Message Queue (    Microsoft)   RPC_C_AUTHN_DEFAULT     = 0xFFFFFFFFL };

RPC_C_AUTHN_WINNT , (NT LAN (local area network) Manager NTLM). RPC_C_AUTHN_GSS_KERBEROS , Kerberos. Windows NT 4.0 NTLM, SSP . Windows NT 5.0 NTLM Kerberos. .

, . , SSP DLL. , SSP DLL ORPC. , SSP DLL RPC , . SSP DLL , , . DCE RPC ( COM) , :

 enum {   RPC_C_AUTHN_LEVEL_DEFAULT,  // use default level for pkg                               //        ,        RPC_C_AUTHN_LEVEL_NONE,     //   authentication                               //      RPC_C_AUTHN_LEVEL_CONNECT,  // only authenticate credentials                               //        RPC_C_AUTHN_LEVEL_CALL,     // protect message headers                               //        RPC_C_AUTHN_LEVEL_PKT,      // protect packet headers                               //        RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, // protect parameter state                                    //        RPC_C_AUTHN_LEVEL_PKT_PRIVACY,   // encrypt parameter state                                    //      };

. RPC_C_AUTHN_LEVEL_NONE , . RPC_C_AUTHN_LEVEL_CONNECT , . , ORPC E_ACCESSDENIED. , , SSP . NTML (challenge) . . , (response). , , , . , " " . NTLMSSP ( ) - , RPC . . ( , ) (pass-through authentication) .

RPC_AUTHN_LEVEL_CONNECT , , . , - RPC- DCE ( ) . RPC_C_AUTHN_LEVEL_CALL. SSP DLL RPC- RPC - ( ). RPC , RPC API RPC_C_AUTHN_LEVEL_PKT. , , RPC_C_AUTHN_LEVEL_CALL, RPC- .

RPC_C_AUTHN_LEVEL_PKT SSP DLL RPC- RPC- . , , RPC RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. SSP DLL , . SSP DLL, , RPC_C_AUTHN_LEVEL_PKT, , .

RPC_C_AUTHN_LEVEL_PKT_INTEGRITY RPC- ( , ). RPC RPC_C_AUTHN_LEVEL_PKT_PRIVACY. SSP DLL . RPC_C_AUTHN_LEVEL_PKT_PRIVACY . RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, SSP DLL, .

API- COM CoInitializeSecurity. , COM, CoInitializeSecurity , . CoInitializeSecurity . , API- . , CoInitializeSecurity RPC, , . , CoInitializeSecurity , ORPC- , . CoInitia1izeSecurity :

 HRESULT CoInitializeSecurity(   [in] PSECURITY_DESCRIPTOR pSecDesc,  // access control                                        //        [in] LONG cAuthSvc,                  // # of sec pkgs (-1 == use defaults)                                        //       (-1 ==      )   [in] SOLE_AUTHENTICATION_SERVICE *rgsAuthSvc,  // SSP array                                                  //   SSP   [in] void *pReserved1,               // reserved MBZ                                        //  ,        [in] DWORD dwAuthnLevel,             // auto, AUTHN_LEVEL                                        //   AUTHN_LEVEL   [in] DWORD dwImpLevel,               // auto. IMP_LEVEL                                        //   IMP_LEVEL   [in] void *pReserved2,               // reserved MBZ                                        //  ,        [in] DWORD dwCapabilities,           // misc flags                                        //      [in] void *pReserved3                // reserved MBZ                                        //  ,      );

, / . / . .

CoInitializeSecurity, pSecDesc, , . , , (principals) , . . CoInitializeSecurity, cAuthSvc rgsAuthSvc, COM. :

 typedef struct tagSOLE_AUTHENTICATION_SERVICE {   DWORD dwAuthnSvc;  // which authentication package?                      //      ?   DWORD dwAuthzSvc;  // which authorization service?                      //      ?   OLECHAR *pPrincipalName; // server principal name?                            //      ?   HRESULT hr;              // result of registration                            //    } SOLE_AUTHENTICATION_SERVICE;

Windows NT 4.0 RPC_C_AUTHN_WINNT (NTLM). NTLM (authorization service , ) RPC_C_AUTHZ_NONE, ¹. , ( ) , : cAuthSvc, -1, rgsAuthSvc, .

CoInitializeSecurity, dwAuthnLevel, , . , , , . , ORPC- ; . , , API- COM. , COM , , , OXID. COM , , . , , , , . , ORPC- , , . , ².

CoInitializeSecurity, dwImpLevel . , , (impersonation level), , CoUnmarshalInterface. , . , :

 enum {     // hide credentials of caller from object     //              RPC_C_IMP_LEVEL_ANONYMOUS = 1,     // allow object to query credentials of caller     //              RPC_C_IMP_LEVEL_IDENTIFY = 2,     // allow use of caller's credentials up to one-hop away     //            //              RPC_C_IMP_LEVEL_IMPERSONATE = 3,     // allow use of caller's credentials across multiple hops     //            //              RPC_C_IMP_LEVEL_DELEGATE = 4 };

RPC_C_IMP_LEVEL_ANONYMOUS ³. RPC_C_IMP_LEVEL_IDENTIFY , . RPC_C_IMP_LEVEL_IMPERSONATE , , . , ⁴. , RPC_C_IMP_LEVEL_DELEGATE , . NTLM, Kerberos.

CoInitializeSecurity, dwCapabilities . , :

 typedef enum tagEOLE_AUTHENTICATION_CAPABILITIES {   EOAC_NONE        = 0 0,   EOAC_MUTUAL_AUTH = 0 1,     // These are only valid for CoInitializeSecurity     //         CoInitializeSecurity   EOAC_SECURE_REFS    = 0 2,   EOAC_ACCESS_CONTROL = 0 4,   EOAC_APPID          = 0 8 } EOLE_AUTHENTICATION_CAPABILITIES;

(EOAC_MUTUAL_AUTH) NTLM . , . (EOAC_MUTUAL_AUTH) , COM , , OR . EOAC_ACCESS_CONTROL EOAC_APPID CoInitializeSecurity .

, CoInitializeSecurity , . , CoInitializeSecurity , CoInitializeEx, " COM" (first interesting COM call). " COM" API- , OXID. CoMarshalInterface CoUnmarshalInterface, API- , . CoRegisterClassObject , CoInitializeSecurity . API- ( , CoCreateInstanceEx) . API- , COM API ( , , COM- ) CoInitializeSecurity. , CoInitializeSecurity , , DLL . CoInitializeSecurity , COM COM.

COM CoInitializeSecurity , . , , AppID . AppID , COM

 HKEY_CLASSES_ROOT\AppID

COM , AppID AppID:

 [HKCR\AppID\ServerOfTheApes.exe] AppID="{27EE6A4D-DF65-11d0-8C5F-0080C73925BA}"

, COM , .

CoInitializeSecurity , pSecDesc, ( ) NT SECURITY_DESCRIPTOR :

 [HKCR\AppID\{27EE6A4D-DF65-11d0-8C5F-0080C73925BA}] AccessPermission=<serialized NT security descriptor>

, COM :

 [HKEY_LOCAL_MACHINE\Software\Microsoft\OLE] DefaultAccessPermission=<serialized NT security descriptor>

DCOMCNFG. . , COM (security descriptor), SYSTEM. COM , Win32 API- AccessCheck , .

CoInitializeSecurity (cAuthSvc rgsAuthSvc) -1 , , , . CoInitializeSecurity (dwAuthnLevel dwImpLevel) :

 [HKEY_LOCAL_MACHINE\Software\Microsoft\OLE] LegacyAuthenticationLevel = 0x5 LegacyImpersonationLevel = 0x3

RPC_C_AUTHN_LEVEL_PKT_INTEGRITY RPC_C_AUTHN_LEVEL_IMPERSONATE 5 3 . , RPC_C_AUTHN_LEVEL_CONNECT RPC_C_IMP_LEVEL_IDENTIFY. , CoInitializeSecurity, dwCapabilities, EOAC_SECURE_REFS:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\OLE] LegacySecureRefs = "Y"

"Y" "y", COM EOAC_SECURE_REFS; EOAC_NONE. DCOMCNFG. .

¹ .

² , / , . , NTML RPC_C_AUTHN_LEVEL_PRIVACY . , NTLM RPC_AUTHN_LEVEL_CONNECT RPC_C_AUTHN_LEVEL_CALL RPC_AUTHN_LEVEL_PKT (datagram transports) ( , UDP). , (connection-oriented transport) ( , TCP), NTLM RPC_ _AUTHN_LEVEL_CALL o RPC_C_AUTHN_LEVEL_PKT.

³ SSP - NTLM Kerberos - , RPC_C_IMP_LEVEL_IDENTIFY, .

⁴ RPC_C_IMP_LEVEL_IMPERSONATE . .