Can DCOM be disabled safely?

[Paul Schmehl <pauls () utdallas edu>]

Earlier today I posted some preliminary research that I had been doing into 
the ramifications of disabling DCOM.  I reported that SMS was affected by 
it and several other things may be, including SUS, Group Policies and the 
Management Snap-in.  Since then, I have been corresponding with a gentleman 
who has been testing disabling DCOM in a test environment.

So far it appears that disabling DCOM will *not* impact the snap-ins, SUS 
or policies.  It also appears that it *may* not impact SMS either, although 
testing is ongoing.  I just wanted to clarify this in case some had taken 
my comments to be the final word.

Obviously everyone's environment is different, and what works in one might 
not work in another.  So proceed carefully.

With regard to my comments about SUS using Windows Update technology to 
verify patches (and therefore being subject to false positives), I quote 
from Microsoft:

"Software Update Services is based on the same back-end technology used on 
the public Windows Update site that has been servicing Windows customers 
since mid-1998."
<http://www.microsoft.com/windows2000/windowsupdate/sus/suscomponents.asp>

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html