XP SP2 Issues – Using the System Provided Surrogate (dllhost.exe)

DLLHost.exe can be used as a surrogate host for COM servers that are exposed via DCOM/COM+. On XP SP2 the situation may arise that you need to allow your surrogate hosted DCOM app to be accessible from outside of the personal firewall. Typically you would add your process to the firewall white list (trusted apps that are allowed access through the firewall) but the problem with doing this for dllhost.exe is that this opens the firewall for your DCOM server and any other application running under dllhost.exe. You may or may not want to do this.

Here’s a list of possible resolutions to this type of scenario:

1. Add dllhost.exe to the white list.

PRO; This is easily accomplished and doesn’t require any modification or redeployment of your application.

CON: All applications running within the context of dllhost.exe now have access through the firewall which may expose applications that have vulnerabilities that could allow someone to compromise the system.

2. Open the firewall to for DCOM

(See Using Distributed COM with Firewalls on how to implement this)

PRO; This is easily accomplished and doesn’t require any modification or redeployment of your application.

CON: All DCOM applications are now accessible through the firewall which again may expose a vulnerable application. This also causes extra work in setting DCOM permissions properly which in itself may break some DCOM applications.

3. Write a custom surrogate for your DCOM server.

PRO; This allows you to white list only one application that you have primary control over.

CON: Causes a lot of work to write and test your own surrogate and forces redeployment of your application. For a dll surrogate sample see the book: “Inside Distributed COM”

4. Give your DCOM application a fixed endpoint and open those ports in the firewall (See: Q217351 PRB: DCOM Port Range Configuration Problems).

PRO; This minimizes the number of ports open in the firewall and allows your DCOM server to work but doesn’t force you to white list dllhost.exe.

CON: May cause some bottlenecks with high traffic DCOM applications. Also on XP you cannot specify a fixed endpoint for COM+ applications (this functionality currently exists on server versions of the OS).

One argument to white listing a given application is that executables can be renamed to the white listed app and can then circumvent the firewall. While true this would mean that there’s something already on your system that has enough privileges to do. In other words: the system has already been compromised. The firewall is there to prevent things from getting to your machine, not to prevent things from getting off of your machine.