Setting Remote Launch in DCOM - delphi

I can use DCOMCNFG to disable remote launch on my DCOM application, but I would like to do this programatically. I looked at CoInitializeSecurity, but that does not seem to do it. Anyone done this?
I am using Delphi BTW.

The binary data is simply a security descriptor structure (PSecurityDescriptor). I mean it is a copy of the memory of this structure. And, of course, the security descriptor is self relative.
JWSCL can create such a structure easily.
Launch- and AccessPermission list for every user access rights that also contain remote and local access.

The permissions for Remote/Local Activation/Launch are stored in the registry under the AppID for the object.
I'm not sure how to edit it programmatically.

This is very similar to change Access Permissions in Component Services > COM Security with script/api? for which i posted a response.

Related

365 Block .exe Download

Is it possible to prevent the download and execution of files with a .exe extension using 365? I've searched across Endpoint Manager, Defender for Endpoint and Defender for Cloud Apps but can't see an obvious way of doing this.
Most of my searches suggest using AppLocker but this would only solve half the problem (blocking execution of the file).
Is there any way using Microsoft 365 technology to block the download and execution of files based on their extension?
You can try using Edge's relevant group policy or registry to achieve your needs. I think this should help you. Please refer to this policy document: Allow download restrictions.
It can be known in the documentation that the danger level of exe type files is ALLOW_ON_USER_GESTURE, so you can change the group policy or registry information I mentioned above to 2, which will block potentially dangerous or unwanted downloads and dangerous file types.
And the path of this registry is at: SOFTWARE\Policies\Microsoft\Edge\Recommended, if it doesn't exist, you can create it as REG_DWORD type, set its value will be ok. In the same way, you can do it via group policy.

VSTS: Unable to read data from the transport connection: The connection was closed

I am using VSTS for source control and I get this error (title) when I try to check code in.
How do I fix this issue? This impedes checking code in.
It somehow seems to be related to file size. The file that's failing is 9MBs. I find that peculiar since before I was able to check in a 3GB file (I since deleted it though). I am able to upload hundreds of megs in smaller files, too.
What could be the issue?
Error message on checkin
Thank you.
According the error message, the connection to the server was made but since the service was not available on machine, then the sever canceled the request.
You could try below ways to narrow down the issue:
First check the event view on the client machine, if there are some
related error info.
Check if you have set some checkin policies to restrict that.
Check another team project in some collection and different team
project collection, to check if they have the same issue.
Try to use another account to check in the changes.
Try to use your account to check in codes on another client machine. If the
issue only occurs on your machine, you may need to clear TFS and VS
cache which may do the trick.
Try to create a new workspace and map the source to a new location on your client machine, then try it again.
If you are using Window Server 2008R2. Just try to Apply the
HotFix and try the workaround.

How to avoid "automation server can't create object" without changing the browser security settings?

Recently I got the error "automation server can't create object", for which I know the solution is to add your website to trusted sites and enable the setting: "Initialize and script ActiveX controls not marked as safe for scripting". But since this is a security issue, I searched for an alternative workaround but came up with nothing.
So, I am wondering if there is any other work around for this?
Please look at this SO question. Check if you did everything that was discussed there.
The first thing is to implement IObjectSafety interface. Then sign the activex and installer and CAB. You might also want to look at this example how to implement an activex.

Setting serviceURI for ClientFormsAuthenticationMembershipProvider

I'm searching a way to set the serviceURI for ClientFormsAuthenticationMembershipProvider in code behind. I wish not to have the app.config being changed. Is this possible ?
I'm accessing services from a windows service as well as from a windows program and configuration should be handled in a central place.
Thanks,
Sascha
It is possible to cast to ClientFormsAuthenticationMembershipProvider ClientFormsAuthenticationMembershipProvider just before doing the authentication. If casted you have a property ServiceUri. Set it and it's done.

Setting User Access Rights in Windows

Can someone tell me how to set file permissions in Delphi 2006? I am using TINIFile.Create to create INI files in my application. The problem is that if I create the file while logged onto Windows as an administrator and then try to run the application as just a standard user and overwrite the INI file, I do not have permission to do so. I put the file in the AllUsers\ApplicationData\MyProduct folder. I'd like to set the permissions to this folder. I need AllUsers to have Full permissions to the MyProduct folder. If its possible to do this through a WindowsAPI that'd be great because I also need to do this in C++ and C#. I'd really appreciate any help. Thanks!
Although you can do all sorts of permission changes with the right code in Delphi (as admin) a better application structure is to NOT assume that your App has any privileges (you say you want it to run in user mode). Instead, use the installer that will install your App (e.g Inno Setup) to copy a suitable Ini file template into your required data folder. You can specify the permissions that you want using "Permissions: user-modify" on the file copy line.
You can use JEDI library for this. Here is a blog "Setting file security with JWSCL" from posted by Christian Wimmer
The correct answer on "how to do that" is "don't do it at all".
If you set "allow to write for anyone" for your MyProduct folder or ini-file - this will be violating security. Because now any user can affect other users - this is not what they should be allowed to do.
Any user must affect only his world. He should not affect worlds of other users. This power is reserved for administrators.
Why is this bad? Obsiosly.
That's why the correct way will be approx. like this:
Installer of your application MAY put an ini-file into AllUsers folder, but DO NOT alter file's permissions. This file will be default read-only options.
Your application should read settings from AllUsers folder and from current user folder. If it needs to save settings - it should write to user folder, not AllUsers. That way, each user will have their own preferences/settings.
If you want that "someone powerfull" should have ability to enforce settings for all users - he should be an administrator. He can edit file in AllUsers, thus affecting settings of all users.
Note, that you also need to decide, which setting have higher priority (global or local). So, you can have both at same time: (a) local settings for each user and (b) ability to enforce/override user's settings.
Most probably you create your ini file into the application folder, don't you? You should avoid such practice. Instead create ini files into users\YourUser\AppData\Roaming\YourProduct.
I am having a similar problem.
Since you need to do this also in other environments I have a suggestion for you.
Use an external installer to install your application. It has many benefits and one of them is that it will configure for you a File\Directory\Registry permissions during the installation. Of course you would have to run the installation on administrative account but then your users will have the permissions required by your application.
I can recommend you a great installer which is called Inno Setup.

Resources