Configuring Launch Permissions for COM+ Server Objects

  • Article

Applies To: Windows Server 2003 R2, Windows Server 2003 with SP1

Changes in Windows Server 2003 Component Object Model (COM) services and IIS 6.0 have security implications for COM+ objects in ASP pages, ISAPI extensions, or any other application that runs on IIS. To minimize security risks, the new process model for IIS 6.0 requires all worker processes to run under an identity other than LocalSystem. If the identity of the worker process does not have launch permissions for that object, the object will not be successfully created. You must grant sufficient user rights to allow the IIS worker process to successfully create the object without granting so many rights that the identity poses a security risk.

Important

For Windows Server 2003, the IUSR_computername and IWAM_computername accounts are created and granted launch permissions to DCOM components by default when installing IIS. For Windows Server 2003 Service Pack 1 (SP1), the accounts are still created, but are no longer granted launch permissions to DCOM components by default when installing IIS. If you had IIS installed prior to upgrading to SP1, the permissions will not be changed. However, if you install IIS after upgrading to SP1, COM objects will fail to launch under the IUSR_computername and IWAM_computername accounts if your application uses default launch permissions for those accounts. In this situation you will receive an access denied error. Use the procedure below to grant explicit launch permissions to specific user(s) or group(s) to launch COM objects instead of using default launch permissions.

The following recommendations can provide sufficient security while reducing administrative overhead:

  • Instead of adding individual users directly to the launch permissions for an object, create a group on the computer on which the COM+ object runs, and then add the individual users to this group. Then, add this group to the launch permissions for the object.

  • If a COM+ object was created from the GetExtensionVersion method of an ISAPI extension, from an ISAPI filter, or from an ISAPI extension that is running as the identity of the current process, add the IIS_WPG group to the launch permissions for the object.

    Note

    You cannot use this approach with COM+ objects that are running in-process.

Procedures

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To configure launch permissions for distributed Web applications

  1. Click Start, and then click Control Panel.

  2. Double-click Administrative Tools, and then click Component Service.

  3. In the left pane of Component Services, double-click Component Services, double-click Computers, and then click My Computer.

  4. Click the DCOM Config folder.

  5. In the details pane, find the object for which you want to modify the default launch permissions, right-click the icon for the object, and then click Properties.

  6. Click the Security tab.

  7. Under Launch Permissions, click Customize, and then click Edit.

Important

You should not modify the default launch permissions for an application.