DLLHost.exe can be used as a surrogate host for COM servers that are exposed via DCOM/COM+. On XP SP2 the situation may arise that you need to allow your surrogate hosted DCOM app to be accessible from outside of the personal firewall. Typically you would add your process to the firewall white list (trusted apps that are allowed access through the firewall) but the problem with doing this for dllhost.exe is that this opens the firewall for your DCOM server and any other application running under dllhost.exe. You may or may not want to do this.
Here’s a list of possible resolutions to this type of scenario:
PRO; This is easily accomplished and doesn’t require any modification or redeployment of your application.
CON: All applications running within the context of dllhost.exe now have access through the firewall which may expose applications that have vulnerabilities that could allow someone to compromise the system.
(See Using Distributed COM with Firewalls on how to implement this)
CON: All DCOM applications are now accessible through the firewall which again may expose a vulnerable application. This also causes extra work in setting DCOM permissions properly which in itself may break some DCOM applications.
PRO; This allows you to white list only one application that you have primary control over.
CON: Causes a lot of work to write and test your own surrogate and forces redeployment of your application. For a dll surrogate sample see the book: “Inside Distributed COM”
PRO; This minimizes the number of ports open in the firewall and allows your DCOM server to work but doesn’t force you to white list dllhost.exe.
CON: May cause some bottlenecks with high traffic DCOM applications. Also on XP you cannot specify a fixed endpoint for COM+ applications (this functionality currently exists on server versions of the OS).
One argument to white listing a given application is that executables can be renamed to the white listed app and can then circumvent the firewall. While true this would mean that there’s something already on your system that has enough privileges to do. In other words: the system has already been compromised. The firewall is there to prevent things from getting to your machine, not to prevent things from getting off of your machine.