Title

A Windows system has a writable DCOM configuration. (Cat II impact)

Discussion

A registry key for a valid DCOM object has access permissions that allow non-administrator users to change the security settings. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute code, possibly under the user context of the console user.In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User. The Interactive User runs the application using the security context of the user currently logged on to the computer. If this option is selected and the user is not logged on, then the application will not start.

Check Content

·Using the Registry Editor, go to the following Registry key: HKLM\Software\Classes\Appid(inherited by all subkeys) Administrators Full SYSTEM Full Users Read ·If any account other than Administrators and System has greater than “read” access, then this would be a finding. ·Select each subkey and verify that it is inheriting the same permissions. ·If any subkey has permissions that are less strict than those above, then this would be a finding.

Fix Text

Fortify DCOMs AppId permissions. Any changes should be thoroughly tested so objects continue to function under tightened security. - Open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE\Software\Classes\Appid. - Select the application that generated this vulnerability. - Set the permissions for standard (non-privileged) user accounts or groups to Read only.

Additional Identifiers

Rule ID: SV-29541r1_rule

Vulnerability ID: V-6826

Group Title: DCOM - Object Registry Permission

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.