This is a much simplified explanation of DCOM issues, included here only because I noticed a Download Helper that might require DCOM. Questions regarding DCOM should be submitted to the GRC ShieldsUp newsgroup and further reading is recommended.
DCOM (Distributed COM services) is installed by default with Win2k and NT (as of SP4). Though not initially installed with Win9x, it can be downloaded from the MS DCOM site. It may also be installed by many other applications or updates, including IE 5. From the MS DCOM site:
"The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable, secure, and efficient manner. Previously called "Network OLE," DCOM is designed for use across multiple network transports, including Internet protocols such as HTTP. DCOM is based on the Open Software Foundation's DCE-RPC spec and will work with both Java applets and ActiveX ® components through its use of the Component Object Model (COM)."
Networks and Workgroups may use DCOM to access resources on secure corporate networks. Home users usually don't need to have DCOM active. It all depends on what applications users choose to use. Each user must investigate their own systems to determine if DCOM is being used for what they consider a legitimate purpose or necessary function.
Windows Media Encoder is just one of the apps that will activate DCOM. "Live Update" type applications that come pre-installed by many computer manufacturers (Compaq, HP, Dell, etc) usually require DCOM. @Home users may have it activated when installing their Internet access software. Users who have installed ISP-specific software (Earthlink's, for example), may also have this installed. (I can't say this too many times: Do not install ISP software. Use Dialup Networking and the browser you already have instead. If your ISP requires you use their software, get another ISP if possible.)
The existence of DCOM first becomes obvious to many users after installing a firewall like Zone Alarm since DCOM will attempt to access the Internet if it's enabled.
DCOM and Port 135
DCOM uses Port 135 for transmissions so users who check their ports will find this one open if DCOM is enabled. GRC newsgroup users should direct questions about DCOM and Port 135 to the ShieldsUp Newsgroup.
From "Phil Y" Jun 28-00: "I use ZoneAlarm and, although I never gave DCOM Internet access privileges, it kept port 135 open. Specifically denying Internet access to DCOM did not work. Only after disabling DCOM in the registry did ZoneAlarm stealth port 135."
Disabling DCOM alone may not close Port 135 as there are other apps that can force it open. Try the "Ports Finder" feature of AWSPS www.atelierweb.com/pscan/ to determine the cause (15 day fully functional free trial) or use a similar program. See Buzz Walradt's GRC FAQ Links website for other programs: web2.airmail.net/buzz/faqlinks.htm.
CounterExploitation: Possible Spyware: RPCSS.EXE, mdm.exe cexx.org/rpcss.htm has more info and links.
This Computing.net www.computing.net/windows95/wwwboard/forum/3943.html forum has information on DCOM / Port 135 that includes discussion of RPCSS.exe and MDM.exe. A post dated August 17, 2000 discusses use of DCOM Services being "...used to profile product key and other registration data as a future means to enforce software piracy laws that have yet to be adequately enforced at a Federal level."
Enabling and Disabling DCOM
Warning: Disabling DCOM may cause some applications to stop working.
Start by reading the Windows Help (98 only?) section on DCOM. On the Start Menu, choose Help, type in DCOM and hit "Display." From reading over the numerous older posts on GRC newsgroups, it appears the file name may be different depending on OS or which other software program installed DCOM. If you can't find dcomcnfg.exe, use "Find" to search for dcom. If you come across a .inf file, opening it in notepad may tell you what version of DCOM is installed.
Enabling and disabling DCOM msdn.microsoft.com/library/psdk/com/security_8bzh.htm
This MS Library article gives directions for enabling/disabling Dcomcnfg.exe. Disabling DCOM through this interface should change the value of the Registry key noted in step 2 (below) to N.
COM Security FAQ support.microsoft.com/support/kb/articles/Q158/5/08.asp
This FAQ includes directions for enabling / disabling DCOM by editing the Registry.
Caution: The following directions are for reference only. Proceed at your own risk. A system backup before making changes is recommended. Editing the Windows Registry can cause major problems if done incorrectly. Always back up the Windows Registry before making any changes (see Registry Links). These changes require a reboot to put them into effect.
1. If HKEY_LOCAL_MACHINE\Software\Microsoft\OLE has the value "EnableDCOM" set to Y change this value to N to disable DCOM.
2. Although the MS FAQ says this second key is for Win95 only and that it is set to N by default, I found this in my Win98 registry set to Y though I've never had Win 95 installed:
If HKEY_LOCAL_MACHINE\Software\Microsoft\OLE has the value "EnableRemoteConnections" set to Y change it to N to disable DCOM.
The following info has been consolidated and reworded from posts on the GRC optout newsgroup:
From "NT Canuck"and "CK" Sept 05-00: "mdm.exe "machine debug manager" is a feature of MS Office and some VB and C++ optional programs. In Internet Explorer 5.5, go to the Tools, menu properties option, advanced tab and place a checkmark in: DISABLE SCRIPT DEBUGGING and uncheck the option to:
DISPLAY a notification about all script errors. (Wording of the options may be different in earlier versions of IE ). If you don't use scripting in MS Office, it should be deselected from Options. More info is available from the links below." [Note: For IE 4.73, this was accomplished by choosing View | Internet Options | Advanced, then putting a check mark in DISABLE SCRIPT DEBUGGING under the Browsing Options section.]
OFF2000: Files Whose Name Begins with "fff" Appear in
Windows Folder support.microsoft.com/support/kb/articles/Q158/5/08.asp
This FAQ includes directions for disabling Mdm.exe by editing the Registry.
LangaList: More Files You Can Safely Delete www.langa.com/newsletters/1999/oct-18-99.htm
Microsoft SOAP msdn.microsoft.com/library/periodic/period00/soap.htm
From MS: "Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall."
From "Tom S" Jun 17-00: "Worried about DCOM? Look at SOAP. SOAP may very well be the successor to DCOM. From what I can tell, the major advantage is that SOAP is designed to run on HTTP port 80 so that firewalls won't be able to block it out like they can do now with DCOM. Sound familiar? It is cross platform with a huge potential for security problems."
"Now, there are lots and lots of ways to secure DCOM applications, so maybe all of those applications are happily responding only to authenticated requests from the local machine. On the other hand, there are lots and lots of ways to make DCOM applications insecure, so maybe one of them is just waiting for somebody to send it an entirely unauthenticated request to overwrite selected files on my hard disk. Firewalls have good reasons for blocking protocols like DCOM coming from untrusted sources. Protocols that sneak them through are not what's wanted."
Last Updated: Sept 07-00