DCom dangers offer lessons for .net users

What is Microsoft's Distributed Common Object Model (DCom)? This is a question every IT manager should be asking because over the...

What is Microsoft's Distributed Common Object Model (DCom)? This is a question every IT manager should be asking because over the past few weeks they have had to deal with the consequences of security holes related to DCom.

Essentially, DCom is a clever piece of technology within the Windows operating system that enables one application to communicate with another by exchanging data and providing services that can be invoked by other DCom-aware applications.

Com provides such inter-application communications between software running on the same machine. So a Word document can embed a live spreadsheet from Excel, or Internet Explorer can display a Powerpoint slide.

DCom is the version of the Com protocol that extends inter-application communication to external computers so that a client PC can call up a DCom-aware service running on a server.

So far so good, but DCom is extremely powerful, easy to abuse, and the latest alert from Microsoft identified not one, but three holes in the way it handles external requests to run a service.

For tight security, access to servers connected directly to the internet should be controlled by configuring firewalls and routers. That means switching off all services other than web (on port 80), and possibly secure web (https) and e-mail.

So why should users have port 135 open? Microsoft's DCom service uses it, as do those annoying pop-up adverts that we often see when browsing websites. Disable it and the security issues resulting from DCom are all but stopped, as are the annoying pop-ups.

Users can go even further. Russ Cooper, who runs the Ntbugtraq Windows security mailing list, advises users to disable DCom within Windows itself by editing the DCom configuration in the Windows registry.

But disabling DCom is not in Microsoft's interest. Its website offers plenty of advice on securing your PC, from running the latest anti-virus software to installing the latest patches. But nowhere does Microsoft actually recommend disabling DCom, either directly, or via the firewall port it uses (port 135).

It should also take the opportunity to advise users to switch off port 1434, which was abused by the SQL Slammer worm in January. While such advice would go a long way to securing the Windows operating system, these ports are core to Microsoft's future strategy.

Microsoft's .net technology relies on servers communicating over port 80, which is the same port used for accessing websites. As a consequence it is the most popular and least secure of all IP traffic. If Microsoft cannot keep DCom 135 and port 1434 (used by SQL Server) users secure, what is the chance it can control port 80 when .net arrives?

I suspect the recent spate of security alerts relating to DCom was a dress rehearsal. When users start building .net into their web-based applications they will need a fast, efficient means of dealing with security alerts. Unless they get it right now, there is little chance users will be able to cope with the security pressures that .net will more than likely impose on IT departments.

What do you think?

Are you confident you can secure your .net environment? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Read more on IT strategy