DCom Error Messages EventID 10009

The error log on a server is showing an error every few minutes that indicates a connection cannot be made to server on the web.  WHOIS says the server is a google server.

The error reads:
DCOM was unable to communicate with the computer 74.125.224.72 using any of the configured protocols.

In tracing the process it is coming from process ID 768.  768 is Svchost.exe and is coming from the services  RpcSs and RpcEptMapper.    

Help says to open up port 135 in the firewall.   But researching this seems to be a bad idea since DCOM has been know to be a virus back door.    For the life of me, I don't know what this is trying to do and why would a google server need to communicate this way.

My questions are:
1)  Should the port be opened.
2)  Is there anyway to tell what this is trying to do?

Any insight would be appreciated.
HCSHAWAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
btanConnect With a Mentor Exec ConsultantCommented:
Simply speaking, DCOM 10009 indicates that the DCOM client located on this <Computer Name> can’t communicate with the DCOM|COM+ server located on that <Target Computer  Name>.  local SCM COM activator is also called the RPCSS service.

There is past troubleshooting details shared - mostly remote server is offline or the comms btw the remote server is blocked at client or remote server end, can be any security device blocking esp those FW..secure by default this port is included

wearing the security hat, indeed DCOM port must be close especially if it s not used by any application but mostly legacy apps can be still using them, most of apps has shifted into the port 80 space ..that is another playground.

wearing the business hat, Microsoft did has something to say on securing the DCOM or COM+ service from a computer/application perspective such as restricting to least privileged and specify specific user account (instead of default system) to run this. Ideally, the account assigned only purpose is RPC related and for this case to facilitate the comms. Overall, the measures of lockdown attempts to reduce attack surface though..you can catch an hardening example (pdf) which is pretty step by step for their case and reference.

There is a technet of enabing host FW to allow DCOM/COM+ to pass through.

In summary, in order to make DCOM applications work in Windows Server 2008 you need to do two things. Installing the Application role is not needed (but it does add the COM+ network access as in below).

a. Allow "COM+ network access" in firewall rules (type firewall.cpl from a command prompt and on the left you'll see the setting). COM+ is somewhat of a misnomer since it is also for DCOM. COM+ Network Access is a preconfigured program in the exception list that you can just check off.

b. Add your DCOM server to the list of program exceptions in the firewall.
0
 
Davis McCarnOwnerCommented:
Is there any chance that Chrome, Earth, or the Toolbar got installed?  All of them check for updates.
And no, I wouldn't open a port for a suspicious process.
0
 
HCSHAWAuthor Commented:
Thats the info I needed.  Thanks,...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.