Disable DCOM?

[Ann]

Hello all,

We recently had a security audit done on our systems and one of the things
that came out of this was for us to disable DCOM on the affected servers.

Being fairly new to the Windows server environment…I have a mixture of 2000
and 2003 server. Our domain controllers and DNS servers are 2003. My
questions are:

1. What does disabling DCOM really affect? Will my ability to remote
desktop to servers be disabled if I do this?

2. Does DNS or AD require DCOM?

I greatly appreciate your input.

Thanks!

 

[Brian Komar]

That would be a really bad idea.
Brian

"Ann" <Ann@discussions.microsoft.com> wrote in message
news:EDFF1AEB-C5BF-470D-B3BD-9BE60740BE33@microsoft.com...
> Hello all,
>
> We recently had a security audit done on our systems and one of the things
> that came out of this was for us to disable DCOM on the affected servers.
>
> Being fairly new to the Windows server environment…I have a mixture of
> 2000
> and 2003 server. Our domain controllers and DNS servers are 2003. My
> questions are:
>
> 1. What does disabling DCOM really affect? Will my ability to remote
> desktop to servers be disabled if I do this?
>
> 2. Does DNS or AD require DCOM?
>
> I greatly appreciate your input.
>
> Thanks!
>

 

[Paul Adare]

On Fri, 11 Jan 2008 10:07:01 -0800, Ann wrote:

> We recently had a security audit done on our systems and one of the things
> that came out of this was for us to disable DCOM on the affected servers.

You need to demand the return of any fees you've paid to the company that
performed the audit for you.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Congratulations! You are the one-millionth user to log into our system.

 

[Roger Abell [MVP]]

"Ann" <Ann@discussions.microsoft.com> wrote in message
news:EDFF1AEB-C5BF-470D-B3BD-9BE60740BE33@microsoft.com...
> Hello all,
>
> We recently had a security audit done on our systems and one of the things
> that came out of this was for us to disable DCOM on the affected servers.
>
> Being fairly new to the Windows server environment.I have a mixture of
> 2000
> and 2003 server. Our domain controllers and DNS servers are 2003. My
> questions are:
>
> 1. What does disabling DCOM really affect? Will my ability to remote
> desktop to servers be disabled if I do this?
>
> 2. Does DNS or AD require DCOM?
>
> I greatly appreciate your input.
>
> Thanks!
>

You would still be able to use remote desktop.

Special purpose domain member servers that are only
managed via login (actual or remote desktop) can often
fill their function with DCOM not enabled, but it does
depend on what is the software load / server purpose.

You would loose remote management capability which
can mean you end up with a more poorly managed and
monitored (read less safe) system.

Roger

 

[Anteaus]

"Paul Adare" wrote:

> On Fri, 11 Jan 2008 10:07:01 -0800, Ann wrote:

> You need to demand the return of any fees you've paid to the company that
> performed the audit for you.

Masculine bovine stools.

DCOM has in the past been a known security issue, and was at the root of
several very high-risk virus exploits. The advice is basically sound, but
maybe needs qualifying. If you want to disable it, you can do so from the
dcomcnfg tool, or with DComBob from http://grc.com

Whatever you do, don't try to disable the DCOM/RPC services themselves
though, or the computer won't boot. :-/

Whether disabling will affect anything depends on your setup. I've so far
found only one program that whinged at DCOM not being available. You may find
that some of the domain-based remote management tools are not available.

Easy enough to turn it back on, anyway.

 

[Brian Komar]

<snip>
> Masculine bovine stools.
>
nice.... realy nice...