Vulnerability Assessment

Re: DCOM key Retina Audit ID 5328

Blue1978 — Wed, 02 Sep 2009 05:12:17 GMT

If your concerned about saving your registry settings, I would look at using the free program called ERUNT. This can be found at snapfiles.com and other miscellaneous locations.

Re: DCOM key Retina Audit ID 5328

jaws — Tue, 01 Sep 2009 20:09:58 GMT

Hi,

How do you save the current permissions prior to changing them?

Is exporting the registry enough?

Does making these changes cause problems?

Thanks,

Jim

Re: DCOM key

nomuus — Fri, 03 Jul 2009 18:34:00 GMT

jkembry:

New to the forum.

I am having different issues when this particular vulnerability is remediate. I have a number of machines (Windows XP Professional, SP3) where functionality has been severly degraded. They take forever to boot up, the Windows Installer Service ceases to function, there is major time lag between when the user is doing something and when the computer responds.

Once we re-set DCOM permissions back to they way they were before remediation, all returns to normal.

Any ideas.

Thanks,

Jeff Embry

I am wondering as to why this would have caused such a performance degradation, esp if you ensured SYSTEM and Administrators have full access to these keys. I believe Windows Installer Service runs as SYSTEM, so if SYSTEM has full permissions in this particular registry location...are you propogating all permissions throughout the subkeys?

The symptoms you described could be numerous different reasons, like applications be restricted to what they can access via DCOM, or a user account or group not having proper access, etc. Verify the permissions have propogated throughout the keys (as described in my last post). Does that resolve any issues?

Are there any applications that could depend on needing write access to dcom permissions?? Users other than those in the Administrators Group or the local SYSTEM account should not need greater than read permissions (e.g. read and write).

Re: DCOM key

nomuus — Fri, 03 Jul 2009 18:17:38 GMT

gallaghermj:

This check verifies that a DCOM object doesn't have access permissions that allow non-administrator users to change the security settings.

The settings requested to have set: "Ensure that only Local Administrators Group and Local System are permitted to have greater than "read" access."

When this item is set the propagtion does not complete. There are about 150+ component keys in there. I have this Registry permission issue come up on every machine I have and would love to remediate the finding The instructions are clear in Retina, but the practical application of them are not. Has anyone resolved this ? What were your steps that lead to success?

Thanks, Michael

The solution included in the audit should work, but there is typically a caveat...you have to ensure that you choose the option to replace all child object permissions so that the permissions propogate throughout all subkeys and values.

Re: DCOM key

jkembry — Fri, 29 May 2009 15:09:52 GMT

New to the forum.

I am having different issues when this particular vulnerability is remediate. I have a number of machines (Windows XP Professional, SP3) where functionality has been severly degraded. They take forever to boot up, the Windows Installer Service ceases to function, there is major time lag between when the user is doing something and when the computer responds.

Once we re-set DCOM permissions back to they way they were before remediation, all returns to normal.

Any ideas.

Thanks,

Jeff Embry

Re: DCOM key

Blue1978 — Thu, 09 Apr 2009 17:04:32 GMT

So your still having the issue after you completed the steps I was given in that post?

Re: DCOM key

gallaghermj — Thu, 09 Apr 2009 15:40:15 GMT

You might have listed a fix here http://forums.eeye.com/forums/p/484/2101.aspx#2101

but i was able to replicate the steps. Rescanning of DCOM produced the same result.

Microsoft Windows DCOM Object Registry Permissions
Audit ID:	5328
Vul ID:
Risk Level:	Medium
Sev Code:	Category II
PCI Severity Level:	1 (Low)
CVSS Score:
Category:	Windows
Description:	This check verifies that a DCOM object doesn't have access permissions that allow non-administrator users to change the security settings.
How To Fix:	Ensure that only Local Administrators Group and Local System are permitted to have greater than "read" access for any DCOM object: Click Start, Run, type "regedt32", and click OK. Locate HKEY_LOCAL_MACHINE\Software\Classes\AppID Select AppID, Right Click, then select Permissions. Ensure that only Local Administrators Group and Local System are permitted to have greater than "read" access. Note: Additional groups must have only "read" access and individual user accounts are not permitted.
Related Links:

Re: DCOM key

Blue1978 — Tue, 07 Apr 2009 17:40:13 GMT

Can you copy and paste the Retina audit that is telling you this here?

DCOM key

gallaghermj — Mon, 06 Apr 2009 14:59:42 GMT

This check verifies that a DCOM object doesn't have access permissions that allow non-administrator users to change the security settings.

The settings requested to have set: "Ensure that only Local Administrators Group and Local System are permitted to have greater than "read" access."

When this item is set the propagtion does not complete. There are about 150+ component keys in there. I have this Registry permission issue come up on every machine I have and would love to remediate the finding The instructions are clear in Retina, but the practical application of them are not. Has anyone resolved this ? What were your steps that lead to success?

Thanks, Michael