Reference Material
Notice to DigitalPersona Customers with Pro Server v3.x or v4.x and Pro Workstation v3.x Installed
Re: Microsoft Windows Server 2003 Service Pack 1
Microsoft has published an article on its web site entitled, "Programs that use DCOM do not work correctly after you install Microsoft Windows Server 2003 Service Pack 1" (http://support.microsoft.com/?kbid=892500). As DigitalPersona Pro Software is a DCOM application, our software is affected by changes made to COM permissions in Service Pack 1.
This notice only applies to installations with Pro Workstation v3.x. Installations in which all client computers are running Pro Workstation v4.x are not affected by this notice.
After installing Service Pack 1 on Windows Server 2003, administrators must apply the settings outlined below only on Windows Server 2003 with DigitalPersona Pro Server installed. These settings will enable Pro Server/Workstation communication and authentication.
1. Click Start, point to Administrative Tools, and then click Component Services.
2. Expand the Component ServicesComputers container.
3. Expand the My Computer container.
4. Expand the DCOM Config container.
5. Right-click DPHost, and then click Properties.
6. On the Security tab, in the Launch and Activation Permissions area, choose Customize and click Edit.
7. Click Add and type Distributed COM Users and click OK.
8. The Distributed COM Users group will already be granted Local Launch, Allow - leave this as is.
9. Click Allow for the Remote Activation permissions.
10.Click OK two times to accept the changes.
In addition, administrators must add "Domain Users" and "Domain Computers" to the "Distributed COM Users" group by following these steps in every Domain:
1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand Domain container.
3. Expand the Builtin container.
4. Right-click Distributed COM Users, and click Properties.
5. On the Members tab click Add and type Authenticated Users.
6. Click OK two times to accept the changes.
Effects of These Settings
All DCOM interfaces in Windows Server 2000 and Windows Server 2003 were configured, by default, to grant remote access permissions and remote activation permissions to anonymous (unauthenticated) users. This created opportunities for remote attacks to the system.
Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers. In Windows Server 2003 SP1 all DCOM interfaces, by default, are configured to grant remote access, remote launch, and remote activation permissions only to administrators.
This change affects DigitalPersona Pro software, because it must provide services for all users, not just Domain Administrators. This is resolved by administrators explicitly granting remote access and remote activation permissions to the DCOM service to every authenticated user.
Granting these permissions lowers the security level on the domain as it creates opportunities for remote attacks to the system by domain users using the DCOM interfaces. However, it is still a higher security level than previously for Windows Server 2000 and Windows Server 2003 without SP1 because it does not allow anonymous access to DCOM interfaces which eliminates possibility of outside firewall attack.
Pro Server Installations with Windows 98 Workstations
For installations running Pro Workstation running on Windows 98 workstations, administrators must make the following changes on each Windows Server 2003 server:
NOTE: If you have a mixed environment of Windows 98 workstations with Windows 2000, or XP, then you need to perform all steps described in this document.
1. Click Start, point to Administrative Tools, and then click Component Services.
2. Expand the Component ServicesComputers container.
3. Right-click My Computer, and then click Properties.
4. On the COM Security tab, click Edit Limits in the Launch and Activation Permissions area.
5. Click Add, type Anonymous Logon and click OK.
6. Click Allow for the Remote Access permissions.
7. Click OK two times to accept the changes.
8. Expand the My Computer container.
9. Expand the DCOM Config container.
10. Right-click DPHost, and then click Properties.
11. On the Security tab, choose Customize and click Edit in the Launch and Activation Permissions area.
12. Click Add, type Anonymous Logon and click OK.
13. Click Allow for the Remote Activation permissions.
14. Click OK two times to accept the changes. Then, try to use the program that uses DCOM.
NOTE: The results of these changes differ than that explained on the previous page for environments with Windows Server 2000 and 2003 only. The security level of the Domain - with regard to anonymous DCOM access - returns to the same level as prior to installing SP1. DigitalPersona Pro is not alone affected by SP1. Other applications affected include anti-virus, firewall, back-up and many other categories (including Microsoft Exchange 2003). For more information, visit (http://support.microsoft.com/kb/896367).