Now let's look at security issues which are specific to DCOM operations and programming.
We've seen in the 'Authenticated RPC' section that the DCOM security implementation is based on Authenticated RPC. Authenticated RPC uses the security support providers that are available through the Win32 Security Support Provider Interface (SSPI). At this time, Authenticated RPC uses the NTLMSSP exclusively.
Security can be configured externally, that is, without either the client or the server having to include security-specific code. This is suitable for both legacy and simple COM applications. If the security needs of the application are more sophisticated, a variety of functions and interfaces are available to both clients and servers to configure security programmatically, as we'll see shortly.