-
제목
Comparison between DCOM (WMI) and WInRM technologies -
설명
What are the key differences between DCOM (WMI) and WinRM for managing and collecting data from Windows systems?
-
해결 방안
Both DCOM and WinRM leverage WMI (Windows Management Instrumentation) to collect and manage resources on Windows operating systems. However, these two protocols differ significantly in their design, security, and usage:
DCOM (Distributed Component Object Model)
-
Introduced with Windows NT, DCOM is an older, legacy technology.
-
Enabled by default on many Windows servers primarily for backward compatibility.
-
Considered obsolete and deprecated by Microsoft; usage is not recommended.
-
Deeply integrated into Windows OS and used by many native services such as Microsoft Management Console (MMC).
-
Because DCOM allows remote execution of programs, it can be exploited by attackers for lateral movement across a network.
-
Accessing DCOM remotely requires only PowerShell, making malicious activity hard to detect since it mimics legitimate administrative behavior.
WinRM (Windows Remote Management)
-
WinRM is a modern, Microsoft-recommended protocol for remote management.
-
Uses HTTP/HTTPS with SOAP messaging to communicate, typically over ports 80, 443, or 5985/5986 (WinRM v2 with SSL).
-
Functions as an HTTP-based API for WMI, returning data formatted in XML rather than native objects.
-
XML-based communication enables easier traversal through firewalls that perform deep packet inspection on standard web ports.
-
WinRM 1.1 supported sharing ports 80/443 with IIS, but this feature was removed in v2.0 due to incompatibility with Network Load Balancing (NLB), which requires dedicated ports 5985 and 5986 for SSL.
-
Both the WinRM listener and ports must be properly configured on the target machine using WinRM commands.
-
All data transmitted via WinRM is encrypted using the host's Integrated Windows Authentication (NTLM or Kerberos). SSL can be used in environments with PKI, overriding NTLM/Kerberos.
Port Considerations
-
Traditional WMI over DCOM uses RPC, which initially connects on TCP port 135 and then dynamically assigns a high port (usually between 49152–65535) for subsequent communication.
-
Firewalls or routers not aware of RPC/WMI protocols must allow this entire range or require configuring Windows to restrict RPC ports globally.
-
For simpler firewall management, it is recommended to use a static port instead of a dynamic port range. See KB 4289831 for instructions on configuring a static port.
Summary
Feature DCOM (WMI) WinRM Introduced Windows NT (legacy) Modern Microsoft-recommended Default on Windows Yes (legacy reasons) Requires configuration Protocol Type RPC-based HTTP(S) + SOAP Firewall Ports TCP 135 + dynamic high ports TCP 80, 443, 5985, 5986 Security Less secure, vulnerable to lateral attacks Encrypted with NTLM/Kerberos or SSL Data Format Native WMI objects XML Ease of firewall traversal Difficult (dynamic ports) Easier (standard HTTP ports) Microsoft Recommendation Deprecated Recommended
For more details on configuring static ports for WMI/DCOM, see:
https://support.quest.com/kb/4289831 -