Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6826 | 5.108 | SV-29542r1_rule | ECSC-1 | Medium |
Description |
---|
A registry key for a valid DCOM object has access permissions that allow non-administrator users to change the security settings. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute code, possibly under the user context of the console user.In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User. The Interactive User runs the application using the security context of the user currently logged on to the computer. If this option is selected and the user is not logged on, then the application will not start. |
STIG | Date |
---|---|
Windows 2003 Domain Controller Security Technical Implementation Guide | 2012-09-05 |
Check Text ( C-3103r1_chk ) |
---|
·Using the Registry Editor, go to the following Registry key: HKLM\Software\Classes\Appid(inherited by all subkeys) Administrators Full SYSTEM Full Users Read ·If any account other than Administrators and System has greater than “read” access, then this would be a finding. ·Select each subkey and verify that it is inheriting the same permissions. ·If any subkey has permissions that are less strict than those above, then this would be a finding. |
Fix Text (F-6513r1_fix) |
---|
Fortify DCOMs AppId permissions. Any changes should be thoroughly tested so objects continue to function under tightened security. - Open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE\Software\Classes\Appid. - Select the application that generated this vulnerability. - Set the permissions for standard (non-privileged) user accounts or groups to Read only. |