A Windows system has a writable DCOM configuration.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6826	5.108	SV-29542r1_rule	ECSC-1	Medium

Description
A registry key for a valid DCOM object has access permissions that allow non-administrator users to change the security settings. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute code, possibly under the user context of the console user.In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User. The Interactive User runs the application using the security context of the user currently logged on to the computer. If this option is selected and the user is not logged on, then the application will not start.

Description

A registry key for a valid DCOM object has access permissions that allow non-administrator users to change the security settings. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute code, possibly under the user context of the console user.In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User. The Interactive User runs the application using the security context of the user currently logged on to the computer. If this option is selected and the user is not logged on, then the application will not start.

STIG	Date
Windows 2003 Member Server Security Technical Implementation Guide	2014-01-07

Details

Check Text ( C-3103r1_chk )
·Using the Registry Editor, go to the following Registry key: HKLM\Software\Classes\Appid(inherited by all subkeys) Administrators Full SYSTEM Full Users Read ·If any account other than Administrators and System has greater than “read” access, then this would be a finding. ·Select each subkey and verify that it is inheriting the same permissions. ·If any subkey has permissions that are less strict than those above, then this would be a finding.

Check Text ( C-3103r1_chk )

·Using the Registry Editor, go to the following Registry key:

HKLM\Software\Classes\Appid(inherited by all subkeys)

Administrators Full
SYSTEM Full
Users Read

·If any account other than Administrators and System has greater than “read” access, then this would be a finding.

·Select each subkey and verify that it is inheriting the same permissions.
·If any subkey has permissions that are less strict than those above, then this would be a finding.

Fix Text (F-6513r1_fix)
Fortify DCOMs AppId permissions. Any changes should be thoroughly tested so objects continue to function under tightened security. - Open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE\Software\Classes\Appid. - Select the application that generated this vulnerability. - Set the permissions for standard (non-privileged) user accounts or groups to Read only.