Windows 10: Multiple Microsoft Windows RPC/DCOM Vulnerabilities (MS04-012) on Windows 10 machines

I am working through vulnerability reports from Qualys from a client and I get 4 Windows 10 machines reporting the vulnerability in the title.

I have no idea how to patch this other than disabling DCOM, which I do not want to do as these machines are connected to the domain.

Only patches that I can find are from over a decade ago for much older OSes.

Can anyone point me in the right direction as to how to get rid of this vulnerability other than completely disabling DCOM?

submitted by /u/Chipperchoi
[link] [comments]

:)

 

Microsoft "One Care Live": Anyone tried this for their AntiVirus protection system?

Hey, AthlonX2 -

If you want to test the DCOM/COM+ dependencies? I can put out the needed keys OR .reg file areas you need to have to turn off "remote COM+/DCOM" abilities the OS has & see if this affects "Ms OneCare Live" how it does "Windows Defender".

They are as follows (& easy to 'turn back on again' as well):

HOW TO DISABLE REMOTE COM+ ACTIVITY:

===============================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3]

RemoteAccessEnabled = dword:00000000
Com+Enabled = dword:00000000

===============================

* NOTE - PAY ATTENTION TO THE 'BOLDED' ENTRY ONLY: I.E.-> Making it "0" turns remote access of COM+, off. You may want to just change the "RemoteAccessEnabled" part only, & leave the Com+Enabled one as 1, its default, iirc.

See, You COULD to add (or, alter if existing already by default) the DWORD value of Com+Enabled, but making it "1" hexadecimal is the default, & enables it (on/off BOOLEAN switch)... still, this one, for the purposes of the test (non-bold entry) you can pretty much leave alone, so it still works locally if needed, but NOT remotely.

*Smile

ALSO, try this (for DCOM solely) - HOW TO DISABLE REMOTE DCOM ACTIVITY:

http://support.microsoft.com/default.aspx?kbid=826382

==========================================

To determine if you have support for RPC over HTTP enabled on servers running Windows Server 2003, follow these steps:

• 1. In Control Panel, click Add/Remove Programs

• 2. Click Add/Remove Windows Components

This will start the Windows Components Wizard

• 3. Click Networking Services, and then click Details.

If the RPC over HTTP Proxy check box is selected, RPC over HTTP support is enabled on the server.

DCOM is a protocol that can be used on top of the RPC protocol by client / server applications. By default, a server running Windows Server that is configured to support RPC over HTTP will also accept DCOM requests using this protocol. These DCOM requests are then sent to a local port on the server implementing RPC over HTTP (TCP port 593).
Security best practices recommend disabling or removing all nonessential components and services.

If DCOM support is not required on your RPC over HTTP servers, you can remove DCOM support by modifying the registry. To use RPC over HTTP to remove DCOM support, follow these steps:WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

• 1. Click Start, click Run, type Regedit.exe, and then click OK.

• 2. Locate the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy

Note Entries in the "ValidPorts" REG_SZ string value are separated by a semicolon. By default, Windows Server 2003 has the following entry:

<Local_server_name>:100-5000

This entry allows RPC over HTTP to use ports 100-5000.

• 3. Change the default entry that is listed in the note in step 2 to the following:

<Local_server_name>:100-592;<Local_server_name>:594-5000

Doing this disables support for DCOM.

• 4. Remove any entries or any other port ranges that explicitly contain “:593”. For example, remove the following entry:

<servername>:593

• 5. Remove any entries or any other port ranges that implicitly contain "593". For example, remove the following entry:

<servername>:100-2000 and replace it with:
<Local_server_name>:100-592;<Local_server_name>:594-2000.

When you remove entries for port 593, you prevent DCOM from being used through the RPC over HTTP protocol, but RPC programs (like the Outlook 2003 client) are permitted to connect to the RPC server (Exchange 2003 Server) through RPC over HTTP.

When you use RPC over HTTP to remove DCOM support, you can help mitigate the vulnerabilities that are addressed in security bulletin MS03-026 for servers that expose RPC services over HTTP ports 80,443.
==========================================

* Once you make those settings, you will have to reboot, & test "OneCare Live"'s ability to update its antivirus signatures again... thanks, if you find time to try this!

APK

P.S.=> Change them back when done, if this adversely affects "OneCare Live" &/or "Windows Defender"'s abilities to remotely update their antispyware/antivirus signatures... Doing this enable/disable of DCOM &/or COM+ is actually a potential security measure, since you stop its access remotely, BUT, it can 'adversely affect' apps that use DCOM/COM+/RPC as their update mechanism though... this is a way to test that! If it doesn't, I'd disable it but to each his own...

This MIGHT also affect "Windows Update" service itself as well, but I have not tested that... I download all Ms' updates & store them here, manually, rather than let "Windows Update" do them for me, automagically... apk

 

Windows 10 Tweaks

As you may already know, Windows 10 (as well as Windows 8) allow you to log in with a valid Microsoft account, instead of creating a local account that only works on your machine. However, you may prefer to keep a local account for privacy reasons. If you do, though, some Windows 10 features—like Cortana—may not work. Despite the default behavior, the Windows 10 Store is not one of them. You can still log in to your Microsoft account for just the Store without switching to a full Microsoft account. The process, however, is not terribly obvious. To do so, follow these steps:

• Launch the Store from your Start menu.
• Click the user icon next to the search box.
• Click “Sign-in” from the menu that appears.
• Choose “Microsoft account” and log in like normal.
• When the “Make it yours” box appears do not enter your password. Instead, click “Sign in to just this app instead.”

from Lifehacker

 

Microsoft Selects Dolby Audio for Windows 10

it would've been great if microsoft added HEVC decoders, LAV filters along with other codecs with Windows 10, and developing WMP to be better than VLC, KMPlayer and such sorts of media players.

Nevertheless, this is good step for microsoft, by far.