Hi Guys,

We have a Mixed mode SCCM setup in our organization.

Our Security team uses Qualys Guard tool to find Vulnerabilities present in our environment.

It has found that "DCOM Enabled" as a vulnerability and suggesting us to disable DCOM.

I am just curious and want to know in any way will it affect SCCM environment?

Regards,

Thangaraj

Hi,

SCCM uses WMI heavily which in turn uses DCOM. More information can be found below, so DCOM cannot be disabled.

http://technet.microsoft.com/en-us/library/bb633148.aspx

Regards,
Jrgen

Hi Jorgen,

Thanks for your prompt response.

What i understood from your answer and the above link is that " DCOM must be enabled to connect to the SMS provider remotely through the SCCM console".

I just want to know what are the other major features/things which will affect, if we disable DCOM?. Thank you.

Regards,

Thangaraj

Hi,

Here is an old thread that discussed the same matter. http://social.technet.microsoft.com/Forums/systemcenter/en-US/b12a5c1e-d6f9-4d54-83ef-e3b869a55d32/dcom-disable-for-vulnerabilities-in-sccm-client-system

And as the article above mentions, ", and WMI internally uses DCOM." I would not disable it on the SCCM Servers.

Regards,
Jrgen

Hi Jorgen,

One last question.

Does DCOM required on clients as well for basic client operations like software updates, software distribution, sending status messages etc?

Thank you.

Regards,

Thangaraj

So, some random product by some random vendor identified a standard Windows configuration as a vulnerability and you're just going to shut it off? Sorry, but wow.

Hi Jason,

I do understand your point since the inception.

But my intention is to know what are the SCCM client operations/features which will affect when we disable it ?? (apart from remote connectivity thru console), so that i can show those justifications to our top management..

Thank you.

Regards,

Thangaraj

Only justification needed is that it's required and on by default. Disabling things in Windows (or any product) just because someone says *they* think its better causes problems all the time -- basically, do non-standard things, get non-standard results. Why do you have to justify a default setting, that's backwards, *they* should have to justify disabling a default setting and saying "it's a vulnerability" is not enough.

Hi Jason/Guys,

All i needed is the proper justification that in what are the things affect with respect to SCCM operations,

Please can anyone elaborate??

Thank u.

Regards,

Thangaraj

Thangaraj.... Almost everthing would be effected from Hardware and software inventory, Reporting, Software Update and Package distribution, policy download, state messages..etc... any feature which has any relation to following namespaces would be effected

• root\ccm
• root\CCM\ContentTransferManager
• root\CCM\DataTransferService
• root\CCM\Events
• root\CCM\invagt
• root\CCM\LocationServices
• root\CCM\Messaging
• root\CCM\PeerDPAgent
• root\CCM\Policy
• root\CCM\ScanAgent
• root\CCM\Scheduler
• root\CCM\SmsNapAgent
• root\CCM\SoftMgmtAgent
• root\CCM\SoftwareMeteringAgent
• root\CCM\SoftwareUpdates
• root\CCM\StateMsg
• root\CCM\VulnerabilityAssessment
• root\CCM\XmlStore
• root\cimv2\sms
• root\SmsDm
• root\sms
• root\sms\inv_schema
• root\sms\site_<sitecode>

SCCM for almost all purposes use WMI and WMI is dependant on DCOM.

Then you'll need to contact Microsoft directly and open a support case (and probably pay them money for doing it).

Justification is that it is enabled by default and disabling default "things" is not generally recommended and generally causes havoc: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM304

Thanks jason and everyone for your brief explanations.