[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)

ID: oval:org.secpod.oval:def:35274Date: (C)2016-06-10   (M)2022-12-02
Class: COMPLIANCEFamily: windows




This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this Group Policy setting to grant access to all the computers to particular users for DCOM application in the enterprise. When you define this setting, and specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on local launch, remote launch, local activation, and remote activation. The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. RpcSs checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. The possible values for this Group Policy setting are: Blank. This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it to Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK. SDDL. This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy. Not Defined. This is the default value. Note If the administrator is denied access to activate and launch DCOM applications due to the changes made to DCOM in SP2, this policy setting can be used for controlling the DCOM activation and launch to the computer. The administrator can specify which users and groups can launch and activate DCOM applications on the computer both locally and remotely by using the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. Counter Measure: To protect individual COM-based applications or services, set this policy setting to an appropriate computer-wide ACL. The syntax for SDDL is documented here: http://msdn.microsoft.com/en-us/library/aa379567(VS.85).aspx Potential Impact: Windows operating systems implement default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications to components that communicate by using DCOM to fail. If you implement a COM server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns activation permission to appropriate users. If it does not, you need to change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) REG: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM!MachineLaunchRestriction

Platform:
Microsoft Windows 10
Reference:
CCE-43446-4
CCE    1
CCE-43446-4

© SecPod Technologies