in reply to Masking Windows Passwords

What you’s really like to do is to have access to the COM interface controlled such that no one or no application can gain access to it at all without being authorized through the existing Windows (OpenDirectory / LDAP / etc.) authentication mechanisms.

The request itself might be accompanied by some random identification-token which is simply a calling-card.   Some COM interfaces oblige you to send a hash of a userID/password combination (structured however the vendor requires) across the wire:   the receiving computer knows what the correct hash-value should be, but no one who’s looking at the transmission has any idea.

Microsoft has some trustworthy interface abilities already built-in to their IIS server which do give you a way to find out about the user without having to ask him, and these can also be applied to the case of remote interfaces if the remote in question is intra-net.