Avatar of NovemberSag
 asked on

Windows DCOM RunAs Value Writeable

I have to correct an security issue that a program discovered when scanned on a Windows 2000 server. Its showing that the error or security flaw is under HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID registry key using regedt32. I have gone under security and permissions, have verified that no user or group other than the Administrator has full access, I have also removed the "set value" for those users/groups where this was given. However, when running the scan again I am still getting the same results.

What am I missing? How do I correct this?

Oh I have also used the dcomcfg to edit the permissions. That too didn't work.

tks in advance
Windows Networking

Avatar of undefined
Last Comment

8/22/2022 - Mon

Hummm... is it possible that it's reporting a different key the 2nd time it's run.   Those horrible CLSID values can look a lot a like.

Unfortunately its the same key each and every time.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

I will also include the entry from the security scan.

"Retina has detected the the DCOM RunAs registry values on the scanned system (located in the "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID" registry key) have inappropriate write permissions. An unprivileged user may be able to leverage this vulnerability in order gain full access to all aspects of the system."

In the programs instruction I Navigate to the "SOFTWARE\Classes\AppID" registry key in the above HKEY, using regedt32 since I am using OS Window 2000 server Select Security and Permissions.

I then Uncheck "Full Control" for any unprivileged users or groups, including the "Everyone" and "Users" groups, and the "INTERACTIVE" user. Also, if any of the aforementioned groups or users have special permissions, ensure that "Set Value" access is not granted.

Now, what my system current settings:

Under AppID Permissions I have listed Administrator -> Full Control
Authenticated Users -> Allow Query Value, Enumerate Subkeys, Notify, Read Control
Creator Owner -> Allow Query Value, Create Subkey, Enumerate Subkeys, Notify, Create Link, Delete, and Read Control
Server Operators -> Allow Query Value, Create Subkey, Enumerate Subkeys, Notify, Delete, and Read Control
System ->  Full Control
Everyone -> Read

In the past days of working on this problem I have gone from removing the "Set Value" permission from both System and Adminstrators, to just one. I am presently to the point where I have listed.

Any suggestions?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Humm... on my Win2k system I have:

Administrators                  Full
CREATOR OWNER             Full
Everyone                          Read
Power Users                     Special
SYSTEM                           Full
Users                               Read

But they are all "greyed out", meaning that their permissions are inherited from the "Classes" key above.  

So I'd be looking at the permissions for the Classes key (and to make sure that inheritance is turned on starting at that key)

Mine was shown greyed too. However in order for us to remove the permissioned that was what we thought causing the scan to kick back we removed the inheritance from the key. After which we removed the suggested entries.

Are you suggesting now to place the inheritance back with the new settings?

Well, I was thinking that you'd be adjusting the permissions at the "Classes" key and let inheritance "do its thing".

Did you notice that I didn't have a "Authenticated Users" or "Server Operators" entry (probably because my test Win2k Server is not part of a domain).  That means my Win2k Server would "flunk" too!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Nothing worse than a flunked server.

I think I had tried to change the permissions at the "classes" key, but wasn't not able to make any changes. I also tried putting a check in the deny for the checkbox hoping that I could resolve this problem that way, still without success

I appreciate all of your help.