Effortlessly Tame Windows Dangerous DCOM Facility
by Steve Gibson, Gibson Research Corporation.
|Page last modified: Jun 28, 2004 at 13:03||Developed by Steve Gibson|
Microsoft's DCOM security patch leaves
DCOM running, open, and waiting for
the next malicious exploit.
Our 29 kbyte "DCOMbobulator" allows any Windows user
to quickly check their system's DCOM vulnerability, then
simply shut down the unnecessary DCOM security risk.
What does all this have to do with you?
What does DCOM do for you?
their DCOM patches and finally turn DCOM off.
What does the DCOMbobulator do?
to quickly verify the effectiveness of Microsoft's
DCOM security patch, then completely disable
DCOM for greatly enhanced security.
Getting Yourself DCOMbobulated
DCOMbobulator supports three command line options which can be useful
for operation from corporate logon scripts or batch command files:
The use of any command-line option suppresses the DCOMbobulator's user-interface display and UI "click" sound, making its operation completely invisible and silent. The "disable" and "enable" verbs result in DCOM being disabled and enabled after the next system restart.
The "verify" option instructs the DCOMbobulator to verify that the system being tested is not vulnerable to the known remote DCOM exploit. If the system's DCOM facility is either disabled or patched, "verify" will check this and exit silently. But if the system is vulnerable — with DCOM both running and unpatched — the following dialog will appear on the user's display:
The use of the "verify" verb supports corporate deployment where there's a need to check the continuing effectiveness of Microsoft's DCOM patch.
Under Windows 95/98/ME, disabling DCOM with the DCOMbobulator will close port 135 since the Windows 98/ME task scheduler does not use port 135 and those systems don't have the Distributed Transaction Coordinator.
Any personal firewall or NAT router will isolate a system's open ports from external intrusion, so leaving port 135 open is not a problem if your system has additional intrusion protection in place. At the same time, the best security is obtained with multi-layered security where each layer is as secure as possible. If you can determine that you do not need the Windows Task Scheduler, or that you can live without its services, you can probably arrange to completely close your TCP port 135.
As with DCOM, typical Windows users have no need for the
Distributed Transaction Coordinator service. If it is running, it can
be stopped and disabled without any negative impact on the system. But
unfortunately, as we'll see, the same may not be true of the Windows
Task Scheduler service:
That's all there is to it.
|Last Edit: <pending> (<pending> days ago)||Viewed 1,352 times per day|