Check or Attack Name: DCOM Config Writable

A registry key for a valid DCOM object has access permissions that allow non-administrator users to change the security settings. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute code, possibly under the user context of the console user.

In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User. The Interactive User runs the application using the security context of the user currently logged on to the computer. If this option is selected and the user is not logged on, then the application will not start.

Fortify DCOM's AppId permissions so that objects continue to function under tightened security.

WARNING: Incorrectly using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to HKEY_LOCAL_MACHINE\Software\Classes\AppId.
3. Select the application that generated this vulnerability.
4. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
5. Set the permissions to Administrators - Full Control, System - Full Control, and Everyone - Read.
6. For maximum security, set these permissions at the AppId root key, and click Replace Permission on Existing Subkeys to propagate permissions to all subkeys.

WARNING: If the Interactive user does not have write permission at the root key, then ordinary users will not be able to install applications which expose DCOM objects.