Link to home
Start Free TrialLog in
Avatar of NovemberSag
NovemberSag

asked on

Windows DCOM RunAs Value Writeable

I have to correct an security issue that a program discovered when scanned on a Windows 2000 server. Its showing that the error or security flaw is under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID registry key using regedt32. I have gone under security and permissions, have verified that no user or group other than the Administrator has full access, I have also removed the "set value" for those users/groups where this was given. However, when running the scan again I am still getting the same results.

What am I missing? How do I correct this?

Oh I have also used the dcomcfg to edit the permissions. That too didn't work.

tks in advance
Avatar of graye
graye
Flag of United States of America image

Hummm... is it possible that it's reporting a different key the 2nd time it's run.   Those horrible CLSID values can look a lot a like.
Avatar of NovemberSag
NovemberSag

ASKER

Unfortunately its the same key each and every time.
ASKER CERTIFIED SOLUTION
Avatar of graye
graye
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I will also include the entry from the security scan.

"Retina has detected the the DCOM RunAs registry values on the scanned system (located in the "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID" registry key) have inappropriate write permissions. An unprivileged user may be able to leverage this vulnerability in order gain full access to all aspects of the system."

In the programs instruction I Navigate to the "SOFTWARE\Classes\AppID" registry key in the above HKEY, using regedt32 since I am using OS Window 2000 server Select Security and Permissions.

I then Uncheck "Full Control" for any unprivileged users or groups, including the "Everyone" and "Users" groups, and the "INTERACTIVE" user. Also, if any of the aforementioned groups or users have special permissions, ensure that "Set Value" access is not granted.

Now, what my system current settings:

Under AppID Permissions I have listed Administrator -> Full Control
Authenticated Users -> Allow Query Value, Enumerate Subkeys, Notify, Read Control
Creator Owner -> Allow Query Value, Create Subkey, Enumerate Subkeys, Notify, Create Link, Delete, and Read Control
Server Operators -> Allow Query Value, Create Subkey, Enumerate Subkeys, Notify, Delete, and Read Control
System ->  Full Control
Everyone -> Read

In the past days of working on this problem I have gone from removing the "Set Value" permission from both System and Adminstrators, to just one. I am presently to the point where I have listed.

Any suggestions?
Humm... on my Win2k system I have:

Administrators                  Full
CREATOR OWNER             Full
Everyone                          Read
Power Users                     Special
SYSTEM                           Full
TERMINAL SERVER USER   Special
Users                               Read

But they are all "greyed out", meaning that their permissions are inherited from the "Classes" key above.  

So I'd be looking at the permissions for the Classes key (and to make sure that inheritance is turned on starting at that key)
Mine was shown greyed too. However in order for us to remove the permissioned that was what we thought causing the scan to kick back we removed the inheritance from the key. After which we removed the suggested entries.

Are you suggesting now to place the inheritance back with the new settings?
Well, I was thinking that you'd be adjusting the permissions at the "Classes" key and let inheritance "do its thing".

Did you notice that I didn't have a "Authenticated Users" or "Server Operators" entry (probably because my test Win2k Server is not part of a domain).  That means my Win2k Server would "flunk" too!
Nothing worse than a flunked server.

I think I had tried to change the permissions at the "classes" key, but wasn't not able to make any changes. I also tried putting a check in the deny for the checkbox hoping that I could resolve this problem that way, still without success
I appreciate all of your help.