Windows DCOM RunAs Value Writeable

I have to correct an security issue that a program discovered when scanned on a Windows 2000 server. Its showing that the error or security flaw is under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID registry key using regedt32. I have gone under security and permissions, have verified that no user or group other than the Administrator has full access, I have also removed the "set value" for those users/groups where this was given. However, when running the scan again I am still getting the same results.

What am I missing? How do I correct this?

Oh I have also used the dcomcfg to edit the permissions. That too didn't work.

tks in advance
NovemberSagAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grayeCommented:
Hummm... is it possible that it's reporting a different key the 2nd time it's run.   Those horrible CLSID values can look a lot a like.
NovemberSagAuthor Commented:
Unfortunately its the same key each and every time.
grayeCommented:
Humph...  Could you post the key and perhaps the security settings for that key (and perhaps the parent key)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

NovemberSagAuthor Commented:
I will also include the entry from the security scan.

"Retina has detected the the DCOM RunAs registry values on the scanned system (located in the "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID" registry key) have inappropriate write permissions. An unprivileged user may be able to leverage this vulnerability in order gain full access to all aspects of the system."

In the programs instruction I Navigate to the "SOFTWARE\Classes\AppID" registry key in the above HKEY, using regedt32 since I am using OS Window 2000 server Select Security and Permissions.

I then Uncheck "Full Control" for any unprivileged users or groups, including the "Everyone" and "Users" groups, and the "INTERACTIVE" user. Also, if any of the aforementioned groups or users have special permissions, ensure that "Set Value" access is not granted.

Now, what my system current settings:

Under AppID Permissions I have listed Administrator -> Full Control
Authenticated Users -> Allow Query Value, Enumerate Subkeys, Notify, Read Control
Creator Owner -> Allow Query Value, Create Subkey, Enumerate Subkeys, Notify, Create Link, Delete, and Read Control
Server Operators -> Allow Query Value, Create Subkey, Enumerate Subkeys, Notify, Delete, and Read Control
System ->  Full Control
Everyone -> Read

In the past days of working on this problem I have gone from removing the "Set Value" permission from both System and Adminstrators, to just one. I am presently to the point where I have listed.

Any suggestions?
grayeCommented:
Humm... on my Win2k system I have:

Administrators                  Full
CREATOR OWNER             Full
Everyone                          Read
Power Users                     Special
SYSTEM                           Full
TERMINAL SERVER USER   Special
Users                               Read

But they are all "greyed out", meaning that their permissions are inherited from the "Classes" key above.  

So I'd be looking at the permissions for the Classes key (and to make sure that inheritance is turned on starting at that key)
NovemberSagAuthor Commented:
Mine was shown greyed too. However in order for us to remove the permissioned that was what we thought causing the scan to kick back we removed the inheritance from the key. After which we removed the suggested entries.

Are you suggesting now to place the inheritance back with the new settings?
grayeCommented:
Well, I was thinking that you'd be adjusting the permissions at the "Classes" key and let inheritance "do its thing".

Did you notice that I didn't have a "Authenticated Users" or "Server Operators" entry (probably because my test Win2k Server is not part of a domain).  That means my Win2k Server would "flunk" too!
NovemberSagAuthor Commented:
Nothing worse than a flunked server.

I think I had tried to change the permissions at the "classes" key, but wasn't not able to make any changes. I also tried putting a check in the deny for the checkbox hoping that I could resolve this problem that way, still without success
NovemberSagAuthor Commented:
I appreciate all of your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.