DCOM calls are not executed under the security context of the calling user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6830	5.112	SV-29740r1_rule		Medium

Description
DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If present, the RunAs value tells the COM Service Control Manager (SCM) the name of the account under which the server is to be activated. In addition to the account name, the COM SCM must also have the password of the account. The result of a successful logon is a security context (token) for the named account that is used as the primary token for the new COM server process. Administrators should not use this method in the evaluated configuration if accountability is required, since accountability cannot be enforced. RunAs values will be removed.

Description

DCOM calls are executed under the security context of the calling user by default. If the RunAs key has been altered, the DCOM calls can be executed under the user context of the currently logged in user, or as a third user. If present, the RunAs value tells the COM Service Control Manager (SCM) the name of the account under which the server is to be activated. In addition to the account name, the COM SCM must also have the password of the account. The result of a successful logon is a security context (token) for the named account that is used as the primary token for the new COM server process. Administrators should not use this method in the evaluated configuration if accountability is required, since accountability cannot be enforced. RunAs values will be removed.

STIG	Date
Windows Vista Security Technical Implementation Guide	2017-01-30

Details

Check Text ( C-3107r1_chk )
·Using the Registry Editor, go to the following Registry key: HKLM\Software\Classes\Appid ·View each subkey in turn and verify that the RunAs value has not been added. ·If any subkey has a RunAs value, then this would be a finding. Note: Windows components that have default Runas values such as Interactive User do not need to be changed. Windows components that have had a Runas value added or changed and non-Windows COM objects added to the system with Runas values need to be reviewed.

Check Text ( C-3107r1_chk )

·Using the Registry Editor, go to the following Registry key:

HKLM\Software\Classes\Appid

·View each subkey in turn and verify that the RunAs value has not been added.
·If any subkey has a RunAs value, then this would be a finding.

Note: Windows components that have default Runas values such as Interactive User do not need to be changed. Windows components that have had a Runas value added or changed and non-Windows COM objects added to the system with Runas values need to be reviewed.

Fix Text (F-6517r1_fix)
Remove any RunAs values from DCOM objects in the Registry.