DCOM Security references

From: David LeBlanc (dleblancat_private)
Date: Mon Jul 12 1999 - 23:34:27 PDT

Next message: Mark Wooding: "Re: PGP 6.5.1 has been released"

Previous message: John Hall: "Re: Exploit of rpc.cmsd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[note - cross-posted to BUGTRAQ and NTBUGTRAQ]

While at the Black Hat conference this week, JD Glaser was pointing out in
an interesting presentation that DCOM security is very important, and that
DCOM exposes a lot of functionality on many systems.  He also stated that
there wasn't much written about DCOM security, so it seems that this area
isn't as well documented as it might be (or at least many people aren't
aware of where to find it).

I've been investigating DCOM security issues for quite some time, and
started putting checks for various DCOM issues into the ISS scanner as far
back as 2 years ago (v4.3).  I put checks for a fairly comprehensive set of
DCOM security issues into the 5.6 version.  This isn't meant to be an
advertisement for ISS (my former employer), but simply pointing out that
the help system of the scanner does contain some good information on DCOM
security.  The help system can be had for free by downloading an eval copy
from ISS' site.

Some resources that I've found very helpful in understanding this area are:

Current Win32 SDK - very good write-up, and very thorough.  Older SDKs were
a bit sparse on this topic, but recent versions are good.

Pop up dcomcnfg, play with it, use the context-sensitive help to understand
what the settings all mean.  Also good for understanding what is exposed on
your machine.  Oleview is another really interesting application.

There were 2 articles on this in the MSJ (Microsoft Systems Journal) last
fall - should be available online.

It is also a Good Thing to understand what COM and DCOM objects are
available on your system, and as Mike Howard has pointed out, it is
especially important on a IIS web server - an .asp script can open these
things fairly easily.

Under normal circumstances, objects are secured properly and require admin
access to run things remotely.  Also, if you happen to be writing a DCOM
app, understanding the security from the start can make a big difference.
It seems that DCOM is getting used more and more often, and so will
probably be increasingly important to understand.

JD asked me to post this - I hope it might be helpful.


David LeBlanc
dleblancat_private

Next message: Mark Wooding: "Re: PGP 6.5.1 has been released"
Previous message: John Hall: "Re: Exploit of rpc.cmsd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:01 PDT