eEye Digital Security

 This check verifies that a DCOM object doesn't have access permissions that allow non-administrator users to change the security settings.

The settings requested to have set: "Ensure that only Local Administrators Group and Local System are permitted to have greater than "read" access."

When this item is set the propagtion does not complete. There are about 150+ component keys in there. I have this Registry permission issue come up on every machine I have and would love to remediate the finding The instructions are clear in Retina, but the practical application of them are not. Has anyone resolved this ? What were your steps that lead to success?

Thanks, Michael

 Can you copy and paste the Retina audit that is telling you this here?

 You might have listed a fix here http://forums.eeye.com/forums/p/484/2101.aspx#2101

 but i was able to replicate the steps. Rescanning of DCOM produced the same result.

 So your still having the issue after you completed the steps I was given in that post?

New to the forum.

I am having different issues when this particular vulnerability is remediate.  I have a number of machines (Windows XP Professional, SP3) where functionality has been severly degraded.  They take forever to boot up, the Windows Installer Service ceases to function, there is major time lag between when the user is doing something and when the computer responds.

Once we re-set DCOM permissions back to they way they were before remediation, all returns to normal.

Any ideas.

Thanks,

Jeff Embry

gallaghermj:

 This check verifies that a DCOM object doesn't have access permissions that allow non-administrator users to change the security settings.

The settings requested to have set: "Ensure that only Local Administrators Group and Local System are permitted to have greater than "read" access."

When this item is set the propagtion does not complete. There are about 150+ component keys in there. I have this Registry permission issue come up on every machine I have and would love to remediate the finding The instructions are clear in Retina, but the practical application of them are not. Has anyone resolved this ? What were your steps that lead to success?

Thanks, Michael

The solution included in the audit should work, but there is typically a caveat...you have to ensure that you choose the option to replace all child object permissions so that the permissions propogate throughout all subkeys and values.

jkembry:

New to the forum.

I am having different issues when this particular vulnerability is remediate.  I have a number of machines (Windows XP Professional, SP3) where functionality has been severly degraded.  They take forever to boot up, the Windows Installer Service ceases to function, there is major time lag between when the user is doing something and when the computer responds.

Once we re-set DCOM permissions back to they way they were before remediation, all returns to normal.

Any ideas.

Thanks,

 

Jeff Embry

I am wondering as to why this would have caused such a performance degradation, esp if you ensured SYSTEM and Administrators have full access to these keys.   I believe Windows Installer Service runs as SYSTEM, so if SYSTEM has full permissions in this particular registry location...are you propogating all permissions throughout the subkeys?

The symptoms you described could be numerous different reasons, like applications be restricted to what they can access via DCOM, or a user account or group not having proper access, etc.  Verify the permissions have propogated throughout the keys (as described in my last post). Does that resolve any issues?

Are there any applications that could depend on needing write access to dcom permissions??   Users other than those in the Administrators Group or the local SYSTEM account should not need greater than read permissions (e.g. read and write).

 Hi,

  How do you save the current permissions prior to changing them? 

  Is exporting the registry enough? 

  Does making these changes cause problems?

Thanks,

Jim

     If your concerned about saving your registry settings, I would look at using the free program called ERUNT.  This can be found at snapfiles.com and other miscellaneous locations.