How does RPC security relate to COM+ security? I made the statement earlier that every DCOM call is actually an RPC call. When you use remoting in COM+, as you learned in Chapter 5, the client talks to a server object through a proxy, and the object receives calls through the stub. Deep in the proxy/stub code is the code that makes RPC calls. As you learned in the previous section, for an RPC call to be secured, you must call the RpcBindingSetAuthInfoEx function. What COM+ provides are high-level API functions for setting the parameters of RpcBindingSetAuthInfoEx. The two most important functions (the ones we are going to discuss here) are CoInitializeSecurity and CoSetProxyBlanket.

In RPC, when the client wanted to make secured calls, it had to call RpcBindingSetAuthInfoEx for each binding handle; this is the equivalent in COM+ of making a similar call once for each interface in each object. The server had even more work to do because it had to evaluate each call and decide whether the security level of the call was sufficient, and then accept or reject the call based on its evaluation.

Because in COM+ the proxy/stub code wraps the RPC code, it is possible for COM+ to automate the process and minimize the work that the client and the server have to do. For example, on the client side, we can tell COM+ at program startup what level of authentication to use for all of its RPC calls. On the server side, COM+ enables us to tell it the minimum level of security that ...