{
	"id": "a73315cd-2bd3-44a5-bb21-b2ec68f8c541",
	"created_at": "2026-04-06T00:21:57.759584Z",
	"updated_at": "2026-04-10T03:20:52.650334Z",
	"deleted_at": null,
	"sha1_hash": "0a700d9f2a0e29cdfcc8fae4901317e380a8c840",
	"title": "Distributed Transaction Coordinator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57023,
	"plain_text": "Distributed Transaction Coordinator\r\nBy Archiveddocs\r\nArchived: 2026-04-05 21:49:18 UTC\r\nApplies To: Windows Server 2003 with SP1\r\nThe Distributed Transaction Coordinator (DTC) service coordinates transactions that update two or more\r\ntransaction-protected resources, such as databases, message queues, files systems, and so on. These transaction-protected resources may be on a single computer or distributed across many networked computers.\r\nUsers of any computers that participate in DTC transactions, either directly or through other computers.\r\nSystem administrators of networks that use DTC components to perform transactions across networks.\r\nIn Windows Server 2003 Service Pack 1, DTC provides the administrator with greater control over the network\r\ncommunication between computers. By default, all network communication is disabled.\r\nIn order to manipulate the communication settings, the DTC security settings properties page has been enhanced.\r\nTo see the page, use the following procedure:\r\n1. Open the Component Services snap-in Microsoft Management Console (MMC).\r\n2. In the console tree, click the Computers folder.\r\n3. In the results pane, right click My Computer and then click Properties.\r\n4. Click the MSDTC tab, and then click Security Configuration.\r\nThe table below defines the new fields in the property page, along with the registry keys affected for the different\r\nsettings. All the registry keys related to MSDTC are located in the following registry key:\r\nMyComputer\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\MSDTC\r\nWarning\r\nIncorrectly editing the registry may severely damage your system. Before making changes to the registry, you\r\nshould back up any valued data on the computer. These registry keys might not be supported in future releases.\r\nThe following table tells you where to find the MSDTC key specific values.\r\nhttps://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nPage 1 of 6\n\nSetting Description Corresponding registry value\r\nNetwork DTC\r\nAccess\r\nDetermines whether DTC on the local\r\ncomputer is allowed to access the\r\nnetwork. This setting must be enabled in\r\ncombination with one of the other settings\r\nto enable network DTC transactions.\r\nDefault setting: Off\r\nSecurity\\NetworkDtcAccess\r\n0 = Off\r\n1 = On\r\nAllow inbound\r\nAllows a distributed transaction that\r\noriginates from a remote computer to run\r\non this computer.\r\nDefault setting: Off\r\nTo enable this setting you must set the\r\nfollowing registry key values to 1:\r\nSecurity\\NetworkDtcAccess\r\nSecurity\\NetworkDtcAccessTransactions\r\nSecurity\\NetworkDtcAccessInbound\r\nTo disable this setting, you only need to set\r\nthe following registry key value to 0:\r\nSecurity\\NetworkDtcAccessInbound\r\nAllow\r\nOutbound\r\nAllows the local computer to initiate a\r\ntransaction and run it on a remote\r\ncomputer.\r\nTo enable this setting, you need to set the\r\nfollowing registry key values to 1:\r\nSecurity\\NetworkDtcAccess\r\nSecurity\\NetworkDtcAccessTransactions\r\nSecurity\\NetworkDtcAccessOutbound\r\nTo disable this setting, you only need to set\r\nthe following registry key value to 0:\r\nSecurity\\NetworkDtcAccessOutbound\r\nMutual\r\nAuthentication\r\nRequired\r\nAdds support for mutual authentication in\r\nfuture versions and is the highest secured\r\ncommunication mode. In the current\r\nversions of Windows and Windows\r\nServer, it is functionally equivalent to the\r\nAllowOnlySecureRpcCalls = 1\r\nFallbackToUnsecureRPCIfNecessary = 0\r\nTurnOffRpcSecurity = 0\r\nhttps://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nPage 2 of 6\n\nSetting Description Corresponding registry value\r\nIncoming Caller Authentication Required\r\nsetting. This is the recommended\r\ntransaction mode for clients running\r\nWindows XP SP2 and servers running a\r\nmember of the Windows Server 2003\r\nfamily.\r\nWarningWarning\r\nYou cannot use the Mutual\r\nAuthentication Required transaction\r\nmode with computers that are in a\r\nclustered environment, or any\r\ncomputers that are negotiating\r\ntransactions with such computers. In\r\nthat context, you can use the\r\nIncoming Caller Authentication\r\nRequired transaction mode instead.\r\nIn a clustered environment, the\r\ncomputer account for the Distributed\r\nTransaction Coordinator service\r\nspecifies the cluster node's host name\r\ninstead of the transaction node's host\r\nname, which prevents the\r\nauthentication request from\r\nsucceeding when the Mutual\r\nAuthentication Required transaction\r\nmode is enabled.\r\nIncoming\r\nCaller\r\nAuthentication\r\nRequired\r\nRequires the local DTC to communicate\r\nwith a remote DTC using only encrypted\r\nmessages and mutual authentication. This\r\nsetting is recommended for servers\r\nrunning Windows Server 2003 that are\r\noperating in a cluster.\r\nOnly Windows Server 2003 and\r\nWindows XP SP2 support this feature, so\r\nyou should only use this if you know that\r\nthe DTC on the remote computer runs\r\nAllowOnlySecureRpcCalls = 0\r\nFallbackToUnsecureRPCIfNecessary = 1\r\nTurnOffRpcSecurity = 0\r\nhttps://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nPage 3 of 6\n\nSetting Description Corresponding registry value\r\neither the Windows Server 2003 or\r\nWindows XP SP2 operating system.\r\nNo\r\nAuthentication\r\nRequired\r\nProvides system compatibility between\r\nprevious versions of the Windows\r\noperating system. When enabled,\r\ncommunication on the network between\r\nDTCs can fall back to a non-authentication or non-encrypted\r\ncommunication if a secure\r\ncommunication channel cannot be\r\nestablished. This setting should be used if\r\nthe DTC on the remote computer runs a\r\nWindows 2000 operating system or a\r\nWindows XP operating system earlier\r\nthan SP2. This setting is also useful when\r\nthe DTCs that are involved are located on\r\ncomputers that are in domains that do not\r\nhave an established trust relationship or if\r\nthe computers are part of a Windows\r\nworkgroup.\r\nAllowOnlySecureRpcCalls = 0\r\nFallbackToUnsecureRPCIfNecessary = 0\r\nTurnOffRpcSecurity = 1\r\nThese changes are important in order to secure any communication coming into or going out from the computer.\r\nBy default, after installing Windows Server 2003 Service Pack 1, the computer will not accept or issue any\r\nnetwork traffic and therefore will be less vulnerable to network attacks.\r\nAdditionally, the online network protocol has been upgraded to support a more securely encrypted and mutually\r\nauthenticated communication mode. This helps to ensure that attackers can not intercept or take over\r\ncommunications between DTCs.\r\nAfter installing Windows Server 2003 Service Pack 1, all network communication coming out of or getting into\r\nDTC is disabled. For example, if a COM+ object attempts to update a SQL database on a remote computer using a\r\nDTC transaction, the transaction fails. Conversely, if your computer is hosting a SQL database that components\r\nfrom remote computers try to access using a DTC transaction, their transactions fail.\r\nIf your transactions fail because of network connectivity, you can use MSDTC security properties, as described\r\npreviously in this document, select the Network DTC Access check box, and then select the Allow Inbound and\r\nAllow Outbound check boxes, as appropriate.\r\nIf you want to change these setting programmatically as part of your Windows Server 2003 Service Pack 1\r\ndeployment, you can directly change the registry values that correspond to your desired setting as described in the\r\nhttps://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nPage 4 of 6\n\ntable in “Securing all network communication by default,” earlier in this document. After you have changed the\r\nregistry settings, you must restart the MSDTC service.\r\nIf you are using Windows Firewall to protect the computers in your organization, you must add MSDTC into the\r\nexception list in the Windows Firewall settings. To do so, use the following steps:\r\n1. In Control Panel, open Windows Firewall.\r\n2. Click the Exceptions tab, and then click Add Program.\r\n3. Click Browse, and then add c:\\windows\\system32\\msdtc.exe.\r\n4. In Programs and Services, select the Msdtc.exe check box, and then click OK.\r\nSetting name Location\r\nPrevious\r\ndefault\r\nvalue\r\nDefault\r\nvalue\r\nPossible\r\nvalues\r\nNetworkDtcAccess\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\n\\MSDTC \\Security\r\n1 0 0,1\r\nNetwordDtcAccessTransactions\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\n\\MSDTC \\Security\r\n1 0 0,1\r\nNetworkDtcAccessInbound\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\n\\MSDTC \\Security\r\nn/a 0 0,1\r\nNetworkDtcAccessOutbound\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\n\\MSDTC \\Security\r\nn/a 0 0,1\r\nAllowOnlySecureRpcCalls\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\n\\MSDTC\r\nn/a 1 0,1\r\nFallbackToUnsecureRPCIfNecessary HKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\nn/a 0 0,1\r\nhttps://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nPage 5 of 6\n\nSetting name Location\r\nPrevious\r\ndefault\r\nvalue\r\nDefault\r\nvalue\r\nPossible\r\nvalues\r\n\\MSDTC\r\nTurnOffRpcSecurity\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE \\Microsoft\r\n\\MSDTC\r\nn/a 0 0,1\r\nSource: https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nhttps://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx"
	],
	"report_names": [
		"cc759136(v=ws.10).aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434917,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a700d9f2a0e29cdfcc8fae4901317e380a8c840.pdf",
		"text": "https://archive.orkl.eu/0a700d9f2a0e29cdfcc8fae4901317e380a8c840.txt",
		"img": "https://archive.orkl.eu/0a700d9f2a0e29cdfcc8fae4901317e380a8c840.jpg"
	}
}