EnableDCOM

T

Todd S

I had a recommendation to set this value on this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole EnableDCOM=N

I found that N is:

No remote clients may launch servers or connect to objects
on this machine. Local launching of class code and
connecting to objects are allowed on a per-class basis
according to the value and access permissions of the
class's

I am uncertain what it means that remote clients can
connect to objects. Does this include shares and printer
objects or just certain types of objects. What would be a
good example of the type of object that a remote client
couldn't connect to?

Thanks.
 
M

Mark V

In said:
I had a recommendation to set this value on this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole EnableDCOM=N

I found that N is:

No remote clients may launch servers or connect to objects
on this machine. Local launching of class code and
connecting to objects are allowed on a per-class basis
according to the value and access permissions of the
class's

I am uncertain what it means that remote clients can
connect to objects. Does this include shares and printer
objects or just certain types of objects. What would be a
good example of the type of object that a remote client
couldn't connect to?

Disabling DCOM may be appropriate as a security technique. This
depends in large part on your environment. For example, nearly all
stand-alone machines do not have a requirement for Distributed COM
services. However, some LAN clients in a MS Domain _do_ require it
to operate correctly. Some (few) applications may need DCOM locally.

Step one above all else is to ensure that the MS Hotfix for RPC/DCOM
vulnerability has been applied to the system.

You do not have to use the following tool, but reading about and or
acquiring and using it may be of benefit since it is easy to use and
easily reversible.
DCOMbobulator
http://grc.com/default.htm
http://grc.com/dcom/

Also, MS has it's own utility already on your system: DCOMCNFG.EXE
This will initially appear rather confusing, but controlling the
configuration of Distributed COM is it's purpose and on "Tab #2"
("Default Properties") is a check-box "Enable Distributed COM on this
computer" which essentially toggles the value you are asking about
between "Y" and "N". Some decide to alter the list on the Tab
"Default Protocols" to meet their actual needs (if any).

Not quite certain whether your interest is primarily "on"/"off" or
much deeper at this point.
 
T

Todd S

Thanks Mark V. Come good info on the link. Looks like I
am safe turning it off on all my standard MS servers.
None of them run any custom apps.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top