How to disable DCOM and also some DCOM vuln-related info

If you *need* Windows networking file/print services, then you can still disable DCOM by going through the following instructions, starting from "DCOMCNFG.EXE", but you need to be far more alert to new vulnerabilities and patches available.

There is only one way of making a Win2k box "DCOM vulnerability-proof", and that is to ensure that all Windows filesharing/SMB services are disabled, and ports 135, 137-139, and 445 are never listening.

Win2k SP4 is required. I'm not sure about WinXP requirements.

disable client for MS networks (and filesharing services) across all adapters

stop and manual services: server, workstation, browser, messenger, TCP/IP NetBIOS Helper, Spooler, Alerter

device manager: show hidden devices - disable "NetBIOS over TCP/IP"

start > run: DCOMCNFG.EXE

Go into "Default Properties" tab, and untick "Enable Distributed COM on this computer", hit OK.

Go into "Default protocols" tab, and remove all DCOM protocols from the list.

Personally, I still apply the DCOM/RPC patches, there's more than one potential vector than the port-based attack :-)

Further reading

A useful article to read regarding the DCOM vulnerabilities is:

Screw-up factors:

If IIS is installed, it'll open port 135. That probably goes for all MS product services, such as Exchange, SQL Server, etc.

Things that stop working if DCOM is disabled

So far, I've only noticed that attempting to do remote desktop to the machine with DCOM disabled doesn't work.  More specifically, I think it is the machine in question trying to set up a remote help request doesn't work.


An alternative method of disabling DCOM, though it has as much effect as the above (through DCOMCNFG.EXE) method:

To disable DCOM on this system, modify the following registry key:
Key: Microsoft\Ole
Name: EnableDCOM
Type: REG_SZ
Value: N


Modified: 31/10/2008, Mike Coppins.
Tested on: WinNT4, Win2k, WinXP.