From: David LeBlanc [dleblanc@MINDSPRING.COM] Sent: Tuesday, July 13, 1999 2:34 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: DCOM Security references [note - cross-posted to BUGTRAQ and NTBUGTRAQ] While at the Black Hat conference this week, JD Glaser was pointing out in an interesting presentation that DCOM security is very important, and that DCOM exposes a lot of functionality on many systems. He also stated that there wasn't much written about DCOM security, so it seems that this area isn't as well documented as it might be (or at least many people aren't aware of where to find it). I've been investigating DCOM security issues for quite some time, and started putting checks for various DCOM issues into the ISS scanner as far back as 2 years ago (v4.3). I put checks for a fairly comprehensive set of DCOM security issues into the 5.6 version. This isn't meant to be an advertisement for ISS (my former employer), but simply pointing out that the help system of the scanner does contain some good information on DCOM security. The help system can be had for free by downloading an eval copy from ISS' site. Some resources that I've found very helpful in understanding this area are: Current Win32 SDK - very good write-up, and very thorough. Older SDKs were a bit sparse on this topic, but recent versions are good. Pop up dcomcnfg, play with it, use the context-sensitive help to understand what the settings all mean. Also good for understanding what is exposed on your machine. Oleview is another really interesting application. There were 2 articles on this in the MSJ (Microsoft Systems Journal) last fall - should be available online. It is also a Good Thing to understand what COM and DCOM objects are available on your system, and as Mike Howard has pointed out, it is especially important on a IIS web server - an .asp script can open these things fairly easily. Under normal circumstances, objects are secured properly and require admin access to run things remotely. Also, if you happen to be writing a DCOM app, understanding the security from the start can make a big difference. It seems that DCOM is getting used more and more often, and so will probably be increasingly important to understand. JD asked me to post this - I hope it might be helpful. David LeBlanc dleblanc@mindspring.com