Search

MC337322 – Hardening changes coming March 8: Windows DCOM Server Security Feature Bypass (archived)

cloudscout.one Icon

check before: 2022-06-14

Product:

Office 365 general

Platform:

World tenant, Windows Desktop

Status:

Change type:

Admin impact

Links:

Details:

In 2021, CVE-2021-26414 was created to track a security vulnerability discovered in the Windows Distributed Component Object Model (DCOM) Remote Protocol. Windows updates released September 2021 and later address this vulnerability by including changes that will progressively increase security hardening in DCOM. We recommended that you verify if client or server applications that use DCOM or RPC work as expected with the hardening changes enabled. Some configurations might require action by June 2022, to ensure normal operations.


When will this happen:
Refer to the below timeline to understand the progressive hardening coming to DCOM in 2022.


June 8, 2021: Hardening changes disabled by default but with the ability to enable them using a registry key.
June 14, 2022: Hardening changes enabled by default but with the ability to disable them using a registry key.
March 14, 2023: Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2022-03-01

updated:
2022-08-27

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.


changes*

DatePropertyoldnew
2022-09-15MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
Microsoft Docs: Distributed Component Object Model (DCOM) Remote Protocol
ps://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b
ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
ps://support.microsoft.com/help/500444
During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
Microsoft Docs: Distributed Component Object Model (DCOM) Remote Protocol
https://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://support.microsoft.com/help/5004442
2022-08-27MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
Microsoft Docs: Distributed Component Object Model (DCOM) Remote Protocol
https://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://support.microsoft.com/help/5004442
During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
Microsoft Docs: Distributed Component Object Model (DCOM) Remote Protocol
ps://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b
ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
ps://support.microsoft.com/help/500444

*starting April 2022

Last updated 11 months ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!