Disabling DCOM Support in RPC Over HTTP in Windows Server 2003

I know this is an older exploit, but, my servers are still getting scanned for the vulnerability. It’s always better safe than sorry when dealing with anything that opens your Windows server up to an attack and possible compromise.

Read on to determine if RPC over HTTP is installed and if it is how to secure your server against any attack that exploits this vulnerability.

The DCOM exploits present in Windows Server 2003, referenced in Microsoft Security Bulletin MS03-039 and CERT Advisory CA-2003-19, are also present in the RPC over HTTP interface.

This interface is not installed by default, but can be added using the Add / Remove Programs control panel applet.

To determine if RPC over HTTP is installed:

  1. In Control Panel, click Add / Remove Programs.
  2. Click Add / Remove Windows Components.
  3. Click Networking Services, then click Details.
  4. If the RPC over HTTP Proxy box is checked, then RPC over HTTP is installed on the server.

DCOM is a protocol than can be used oon top of RPC over HTTP. By default, any server with RPC over HTTP installed will accept DCOM requests using this protocol. Accepted DCOM requests are then sent to TCP port 593.

Security best practices demand the disabling or removal of all non-essential components and services. DCOM support within RPC over HTTP can be removed by modifying the registry.

To remove DCOM support within RPC over HTTP:

  1. Use a registry editing tool to navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
  2. Locate the ValidPorts value.
  3. By default, the value will contain the following entry: :100-5000This allows RPC over HTTP to use TCP ports 100 through 5000. As DCOM uses TCP port 593, we can disable it as follows:
  4. Edit the ValidPorts value to contain the following: :100-592;:594-5000
  5. Remove or amend any other entries that contain reference to TCP port 593 or port ranges spanning TCP port 593 in the manner demonstrated above.

When you remove entries for port 593, you prevent DCOM from being used through the RPC over HTTP protocol, but RPC programs (like the Outlook 2003 client) are permitted to connect to the RPC server (Exchange 2003 Server) through RPC over HTTP. More information on RPC over HTTP can be found on the Microsoft website.

Leave a Reply

2 Comments on "Disabling DCOM Support in RPC Over HTTP in Windows Server 2003"

Notify of