Solved

DCom Error Messages  EventID 10009

Posted on 2014-03-28
3
2,167 Views
1 Endorsement
Last Modified: 2014-03-31
The error log on a server is showing an error every few minutes that indicates a connection cannot be made to server on the web.  WHOIS says the server is a google server.

The error reads:
DCOM was unable to communicate with the computer 74.125.224.72 using any of the configured protocols.

In tracing the process it is coming from process ID 768.  768 is Svchost.exe and is coming from the services  RpcSs and RpcEptMapper.    

Help says to open up port 135 in the firewall.   But researching this seems to be a bad idea since DCOM has been know to be a virus back door.    For the life of me, I don't know what this is trying to do and why would a google server need to communicate this way.

My questions are:
1)  Should the port be opened.
2)  Is there anyway to tell what this is trying to do?

Any insight would be appreciated.
1
Comment
Question by:HCSHAW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 39963709
Is there any chance that Chrome, Earth, or the Toolbar got installed?  All of them check for updates.
And no, I wouldn't open a port for a suspicious process.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39964373
Simply speaking, DCOM 10009 indicates that the DCOM client located on this <Computer Name> can’t communicate with the DCOM|COM+ server located on that <Target Computer  Name>.  local SCM COM activator is also called the RPCSS service.

There is past troubleshooting details shared - mostly remote server is offline or the comms btw the remote server is blocked at client or remote server end, can be any security device blocking esp those FW..secure by default this port is included

wearing the security hat, indeed DCOM port must be close especially if it s not used by any application but mostly legacy apps can be still using them, most of apps has shifted into the port 80 space ..that is another playground.

wearing the business hat, Microsoft did has something to say on securing the DCOM or COM+ service from a computer/application perspective such as restricting to least privileged and specify specific user account (instead of default system) to run this. Ideally, the account assigned only purpose is RPC related and for this case to facilitate the comms. Overall, the measures of lockdown attempts to reduce attack surface though..you can catch an hardening example (pdf) which is pretty step by step for their case and reference.

There is a technet of enabing host FW to allow DCOM/COM+ to pass through.

In summary, in order to make DCOM applications work in Windows Server 2008 you need to do two things. Installing the Application role is not needed (but it does add the COM+ network access as in below).

a. Allow "COM+ network access" in firewall rules (type firewall.cpl from a command prompt and on the left you'll see the setting). COM+ is somewhat of a misnomer since it is also for DCOM. COM+ Network Access is a preconfigured program in the exception list that you can just check off.

b. Add your DCOM server to the list of program exceptions in the firewall.
0
 

Author Closing Comment

by:HCSHAW
ID: 39966891
Thats the info I needed.  Thanks,...
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question