Re: deactivating DCOM

From: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 07/21/03 

Date: Sun, 20 Jul 2003 22:10:46 -0700

Q1 How do I enable or disable DCOM?

A. The HKEY_LOCAL_MACHINE\Software\Microsoft\OLE registry key has
"EnableDCOM" as a named value. By default this value is set to "Y." To
disable DCOM, change this value to "N." You can do this in the OLE/COM
Object Viewer with the File.System Configuration dialog box. Changing
this value requires you to restart your computer.

If EnableDCOM is not set to "Y," then all cross-computer calls are
rejected (the caller, typically, receives an RPC_S_SERVER_UNAVAILABLE
return code).

On Windows 95, with DCOM support, there is an additional registry
setting that enables or disables incoming remote connections. The
registry key is HKEY_LOCAL_MACHINE\Software\Microsoft\OLE, and the named
value is "EnableRemoteConnections." By default remote connections are
disabled (the value is "N"). To enable remote connections to a Windows
95 computer, change this value to "Y." You can do this in the OLE/COM
Object Viewer (OLEView) with the File.System Configuration dialog box.
Changing this value requires a restart.

You'll have to reboot anyway.... just in case they use another unknown
threat vector to get in, I'd rather patch. The exploit is not public at
this time....

Bijan Kianifard wrote:

> Hello to all,
>
> I recieve this message from eeye digital security and I
> think it is interesting to you:
>
> Microsoft Remote Procedure Call (RPC) Vulnerability
>
> Systems Affected
> All current versions of Microsoft Windows (e.g. Windows
> NT, XP, 2000) and Windows Server 2003.
>
> Potential Impact
> This critical flaw allows an attacker to gain control of
> systems via TCP Port 135. The flaw is not necessarily in
> RPC, rather the flaw is in the way RPC is implemented in
> Windows. When exploited, a buffer overflow is created that
> could allow remote attackers to run commands with the
> highest system privileges.
>
> Rating: Critical
> Many networked Windows services rely on RPC in order to
> communicate between machines. As a result, Microsoft ships
> Windows with this service turned on by default. This means
> that every Windows machine is vulnerable, unless it has
> been specifically set up to not use RPC (a configuration
> which may cause parts of the operating system to function
> incorrectly), or unless a patch or workaround has been
> applied.
>
> Protecting Against This Vulnerability
> The most effective way to protect vulnerable systems is to
> apply the Hotfix released by Microsoft in Security
> Bulletin MS03-026. However, there is a workaround that
> will disable the flawed Windows component so that an
> attack over TCP Port 135 will be ineffective. According to
> the Microsoft Security Bulletin, the affected service,
> known as Distributed Component Object Model (DCOM), may be
> disabled with little or no impact to normal Windows
> functionality. The procedure for deactivating this
> component consists of only a few steps, and is outlined in
> the "Frequently Asked Questions" section of the Microsoft
> bulletin.
>
> DCOM has long been regarded as a potential security hazard
> in Windows, and best security practices recommend
> disabling the service unless it is absolutely necessary.
> For this reason, Retina® Network Security Scanner has
> included an audit for well over a year that flags Windows
> machines on which the DCOM service is running. The fix
> information included within the audit instructs users to
> disable DCOM using the same procedure outlined by
> Microsoft.
>
> I don't know how can I deactivate DCOM service on windows
> 2000 advanced server platform,may somebody help me?
>
> Thank you
>
> Bijan 

--
"Don't lose sight of security.  Security is a state of being, not a
state of budget.  He with the most firewalls still does not win.
Put down that honeypot and keep up to date on your patches.  Demand
better security from vendors and hold them responsible.  Use what
you have, and make sure you know how to use it properly and
effectively."
  ~ Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt

Relevant Pages

  • svchost.exe | exe.tsohcvs
    ... This has something to do with DCOM. ... To disable DCOM, change this value ... If EnableDCOM is not set to "Y," then all cross-computer ... I always go to windows updates and do ...
    (microsoft.public.windowsxp.security_admin)
  • Re: how to repair com+ componet service on xp pro ?
    ... DCOM Enable or Disable ... Change the EnableDCOM string value to Y to enable. ... Restart the operating system for the changes to take effect. ... If you are running Windows XP or Windows Server 2003, ...
    (microsoft.public.windowsxp.general)
  • Re: At Bootup Computer Pauses
    ... Try Ctrl+Alt+Delete to select Task Manager and click the Performance ... Also look for Error Reports in the System log in Event Viewer. ... View and Manage Event Logs in Event Viewer in Windows XP ... DCOM got an error "The service cannot be started, ...
    (microsoft.public.windowsxp.general)
  • Re: method or property is not available because a document window is not active.
    ... permission for the COM Server application with CLSID ... particular user to open the msword instead of using the windows login ... you could set dcom or not. ... "console" and do the changes for the DCOM setting, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... what can I do to resolve the DCOM 10009 errors on the SBS2008 machine? ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
    (microsoft.public.windows.server.sbs)