[Full-Disclosure] Disabling DCOM: Ramifications?

• Previous message: Geoincidents: "Re: [Full-Disclosure] RE: DCOM Exploit MS03-026 attack vectors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: 02 Aug 2003 10:56:44 -0500

  After some testing in the lab, I went ahead and disabled DCOM on all
of the Win2K AD Controllers in the environment I support (approx. 80
servers.)

  While we haven't yet had the chance to test all of the finer points of
package distribution via SMS, we haven't yet seen or heard of any
strange behavior or lack of infrastructure services as a result of the
change.

  Specifically, I have tested: Terminal services, remote management via
MMC (event viewer, etc.); mapping drives and whatnot; login script
functionality; and SMS remote management tools. No issues whatsoever.

  If there are additional tests anyone would like to see performed,
please let me know. If I can't safely perform the tests in production,
I'll try them out in the lab...

  The scripts I used to disable them aren't especially clever or unique,
but just in case you want to cut and paste, here is what I did. Note:
requires Kix32, shutdown.exe, and nltest.exe - all of which (if memory
serves) may be found in the ntreskit.

--- DISCLAIMER: This is all stuff I stole from this list or other
sources and cobbled together haphazardly. There is absolutely no
original thought or special effort here, just the quick-and-dirty
process I used to slam closed the gaping DCOM barn door. So if torn
between the urge to skip the following or fire up the flamethrower -
please, just skip it! :) ---

1) Generate a list of DC's to deploy to: NLTEST /DCLIST:[mydomain] >
dc.txt
(Clean up resulting text file just enough to be suitable for parsing...)

2) I used the following KIX script to change the registry key which
enables/disables DCOM. You can paste this into a text file and save it
as a *.kix file (I called mine killdcom.kix) :

  $ReturnCode =
WriteValue("\\$target\HKEY_LOCAL_MACHINE\Software\Microsoft\Ole","EnableDCOM","N","REG_SZ")
  If @ERROR = 0
    ? "DCOM Disabled on target: " $target
  Else
    ? "SCRIPT FAILED ON " $target
  EndIf

3) Since this script is written to disable just one machine, I then used
a loop to feed it the list of targets previously generated. From a
command prompt:

  FOR /F %P IN (dc.txt) DO kix32.exe killdcom.kix $target=%p

4) After reviewing the output, the servers still need to be rebooted.
(side note: dammit, Kix doesn't seem to like to output to a text file
with the > redirection symbol, so I had to run it a second time and just
watch the messages scroll... Wasn't worth the energy to sort out
logging, heh, someone here will prolly do that soon anyway and include
it in the flamage) ... To do so, I used the same loop as before, but
with the shutdown command instead:

  FOR /F %P IN (dc.txt) DO SHUTDOWN -m \\%p -r -t 7200

Note: depending on where you got your version of shutdown, the syntax
may vary; mine was, I think from some antique NT4 reskit. Also note,
the 7200 is an arbitrary number of seconds (from 0 to...?) until the
reboot - when I ran it, I just happened to need it to occur in 2 hours.

  OK, I know this whole post is probably going to just piss off the
really hard core admin types due to lack of new and clever insights, so
- I apologize in advance. *sheepish grin as I duck for cover!*

-- 
We don't just delete spam, we delete spammers. [spammerhunters.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: Geoincidents: "Re: [Full-Disclosure] RE: DCOM Exploit MS03-026 attack vectors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]