Add policy for remote DCOM traffic

Author: Harvester57

AdditionalSystemHardening.admx

@@ -18,6 +18,17 @@
     <policies>
         <!-- Hardening policies section -->
         <!-- SYSTEM SETTINGS -->
+        <!-- Block remote DCOM connections -->
+        <policy name="RemoteDCOM" class="Machine" displayName="$(string.RemoteDCOM)" explainText="$(string.RemoteDCOM_Explain)" key="SOFTWARE\Microsoft\Ole" valueName="EnableDCOM">
+            <parentCategory ref="System" />
+            <supportedOn ref="windows:SUPPORTED_Windows_6_3" />
+            <enabledValue>
+                <string>N</string>
+            </enabledValue>
+            <disabledValue>
+                <string>Y</string>
+            </disabledValue>
+        </policy>
         <!-- Launch VBS in Mandatory mode -->
         <policy name="MandatoryVBS" class="Machine" displayName="$(string.MandatoryVBS)" explainText="$(string.MandatoryVBS_Explain)" key="SYSTEM\CurrentControlSet\Control\DeviceGuard" valueName="Mandatory">
             <parentCategory ref="System" />

CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Policy to enable or disable detailed BSODs
 - Policies to control Attack Surface Reduction rules in Windows Defender
   - Credits to @MichaelGrafnetter and his project: https://github.com/MichaelGrafnetter/defender-asr-admx
+- Policy to enable or disable remote DCOM traffic
 ### Changed
 - Updated translations, wording and descriptions for consistency in en-US and fr-FR
 - Fixed a typo in Microsoft's SecGuide template

en-US/AdditionalSystemHardening.adml

@@ -13,6 +13,10 @@
                   <string id="Adobe">Additional Adobe Acrobat settings</string>
                   <!-- POLICIES -->
                   <!-- System policies -->
+                  <string id="RemoteDCOM">Block remote DCOM connections</string>
+                  <string id="RemoteDCOM_Explain">If you enable this policy, no remote clients may launch servers or connect to objects on this computer. Local clients cannot access remote DCOM servers; all DCOM traffic is blocked.
+
+If you disable this policy, launching of servers and connecting to objects by remote clients is allowed on a per-class basis according to the value and access permissions of the class's LaunchPermission registry value and the global DefaultLaunchPermission registry value.</string>
                   <string id="LSA_RunAsPPL">Enable additional LSA process hardening</string>
                   <string id="LSA_RunAsPPL_Explain">Enable this option to allow the LSA process to run as a PPL (Protected Process Light), in order to disallow its debugging.</string>
                   <string id="LSA_SamDisableListenOnTCP">Disable the SAM server TCP listener</string>

fr-FR/AdditionalSystemHardening.adml

@@ -13,6 +13,10 @@
                   <string id="Adobe">Paramètres de durcissement pour Adobe Acrobat</string>
                   <!-- POLICIES -->
                   <!-- System policies -->
+                  <string id="RemoteDCOM">Bloquer les connexions DCOM distantes</string>
+                  <string id="RemoteDCOM_Explain">Si vous activez cette stratégie, aucun client distant ne peut lancer de serveurs ou se connecter à des objets sur cet ordinateur. Les clients locaux ne peuvent pas accéder aux serveurs DCOM distants; tout le trafic DCOM est bloqué.
+
+Si vous désactivez cette stratégie, le lancement de serveurs et la connexion à des objets par des clients distants sont autorisés par classe en fonction de la valeur et des autorisations d'accès de la valeur de Registre LaunchPermission et de la valeur de Registre globale DefaultLaunchPermission.</string>
                   <string id="LSA_RunAsPPL">Activer le durcissement additionnel du processus LSA</string>
                   <string id="LSA_RunAsPPL_Explain">Activer cette stratégie pour permettre au processus LSA de se lancer en tant que PPL (Protected Process Light), interdisant son débogage.</string>
                   <string id="LSA_SamDisableListenOnTCP">Désactiver l'écoute TCP du serveur SAM</string>